Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Transport Mode

Quick question:

here is the scenario:

Site-to-site VPN between 2 routers.

Routers separated by public Internet.

RFC 1918 addresses on source and destination networks.

Question:

If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.

In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable.

2 REPLIES
Bronze

Re: IPSec Transport Mode

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).

http://technet2.microsoft.com/windowsserver/en/library/c3a956bf-704b-4980-9655-762985e380f61033.mspx?mfr=true

The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.

Hall of Fame Super Silver

Re: IPSec Transport Mode

Melvin

It would help if we knew a bit more about your environment. Would I be correct in assuming that when you say there are RFC 1918 addresses on the source and destination network that this means the networks on the inside interfaces of the routers? Another question is what is on the outside (Internet facing) interfaces? If there are public addresses on the outside interfaces then there is an opportunity to run IPSec with GRE where IPSec runs in transport mode and the GRE tunnels are terminated on the outside interfaces. In this implementation the addresses that the Internet sees are the outside interface addresses used by GRE and not the RFC 1918 addresses of the original packet.

HTH

Rick

616
Views
0
Helpful
2
Replies