Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec in transport mode !

Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.

R1 is connected to R2 over Fa0/0. R1 has a loopback and R2 loopback Traffic needs to be encrypted when sends any ip packet to and vice versa. Configuration is standard of Site to site vpn except this

crypto ipsec transform-set aset esp-des esp-md5-hmac

mode transport

at both ends.

Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this

R1#ping source


I am seeing source and destination IPs to be and respec. Why is this so ? 2 questions arise here

1) Why both ends are negotiating tunnel mode instead of transport mode ?

2) Why i am not seeing the original IP header (which again falls to question 1 above )

I am really confused here ? did i misunderstood transport mode ?


Re: IPsec in transport mode !

You are not wrong on how transport mode works, however AFAIK transport mode only works for remote access connections, lan to lan does not support transport mode.

New Member

Re: IPsec in transport mode !

Dear Sir, i figured it out !!. If in crypto acls we define only the endpoints IPs then router will negotiate transport mode, if this is not the case then it will always negotiate tunnel mode.

Thanks for the feedback sir :-)