Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec Transport Mode

Quick question:

here is the scenario:

Site-to-site VPN between 2 routers.

Routers separated by public Internet.

RFC 1918 addresses on source and destination networks.


If in transport mode, IPSec does not encrypt the original IP header, but instead leaves it exposed for routing purposes, is it then true that you cant run IPSec transport mode when you have private address on both ends? You cant route private addresses over the public Internet, of course...hence, my question.

In tunnel mode, the original IP packet is totally encapsulated by an IPSec packet and the IPSec tunnel endpoints are the address that are exposed and used for routing the user traffic. So, of course, tunnel mode is perfectly acceptable.


Re: IPSec Transport Mode

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).

The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.

Hall of Fame Super Gold

Re: IPSec Transport Mode


It would help if we knew a bit more about your environment. Would I be correct in assuming that when you say there are RFC 1918 addresses on the source and destination network that this means the networks on the inside interfaces of the routers? Another question is what is on the outside (Internet facing) interfaces? If there are public addresses on the outside interfaces then there is an opportunity to run IPSec with GRE where IPSec runs in transport mode and the GRE tunnels are terminated on the outside interfaces. In this implementation the addresses that the Internet sees are the outside interface addresses used by GRE and not the RFC 1918 addresses of the original packet.



CreatePlease to create content