Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GET VPN in transport mode

All,

I am about to implement GET VPN while read the following from Cisco's website:

IPsec transport mode suffers from fragmentation and reassembly limitations and must not be used in

deployments where encrypted or clear packets might require fragmentation.

I just do not understand why transport mode will suffer fragmentation and reassembly while it had less overhead than tunnel mode.

1 REPLY
New Member

Re: GET VPN in transport mode

Hi,

the reason is lack of additional IP encapsulation header with transport mode. When a cleartext IP packet is fragmented prior to IPSec encapsulation and then fragmented en-route once again, two headers are required to properly maintain double fragmentation.

When using IPsec tranport mode, it is impossible due to just one IP header used. You need to use another tunneling layer inside IPsec - e.g. GRE or IPIP, like DMVPN does - or use IPsec tunnel mode (effectively the same, but native to IPSec).

HTH

184
Views
5
Helpful
1
Replies