Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.
R1 is connected to R2 over Fa0/0. R1 has a loopback 126.96.36.199/8 and R2 loopback 188.8.131.52/8. Traffic needs to be encrypted when 184.108.40.206 sends any ip packet to 220.127.116.11 and vice versa. Configuration is standard of Site to site vpn except this
crypto ipsec transform-set aset esp-des esp-md5-hmac
at both ends.
Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this
R1#ping 18.104.22.168 source 22.214.171.124
I am seeing source and destination IPs to be 10.0.0.1 and 10.0.0.2 respec. Why is this so ? 2 questions arise here
1) Why both ends are negotiating tunnel mode instead of transport mode ?
2) Why i am not seeing the original IP header (which again falls to question 1 above )
I am really confused here ? did i misunderstood transport mode ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...