Solved: Why do we have Single Hop between Ipsec Peers?

keshavnow · ‎04-02-2008

Why do we have Single Hop between Ipsec Peers?

What is the concept behind this?

Physically the data is transmitted through various routers or hop reaching the destination peer

But while tracing we can see only 1 hop

Why it so?

Regards,

Kesavamurthy Palani

Jon Marshall · ‎04-02-2008

Yes, you've got it.

Jon

View solution in original post

Jon Marshall · ‎04-02-2008

Because it is a tunnel so your traceroute packet is encapsulated within another packet ie.

Host1 -> VPN1 -> R1 -> R2 -> R3 -> VPN2 -> Host2

Host1 traceroutes to Host2.

When the packet reaches VPN1 the original traceroute packet is encapsulated within another packet with a source of VPN1 and a destination of VPN2. The packet is now an IPSEC packet. The original traceroute packet is there but it is not visible for all the R router in the above topology.

Hope this makes sense

Jon

keshavnow · ‎04-02-2008

Thanks !! Jon

I got it!

Other Question :

--------------------

Still the packets leaving VPN1 after IPsec encapsulation will pass through R1->R2-->R3

here.

So basically if we use tunnel - virtually the data is transmitting with single hop but IPsec Packets will go Physically to all routers-with fragmentation and Reassembly due to MTU of the medium along the path,

But trace doesn't show this - as it is encapsulated inside the IPsec Packet

Am i right?

Regards,

Kesavamurthy Palani

Jon Marshall · ‎04-02-2008

Yes, you've got it.

Jon