Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec in transport mode !

Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.

R1 is connected to R2 over Fa0/0. R1 has a loopback 20.0.0.1/8 and R2 loopback 30.0.0.1/8. Traffic needs to be encrypted when 20.0.0.1 sends any ip packet to 30.0.0.1 and vice versa. Configuration is standard of Site to site vpn except this

crypto ipsec transform-set aset esp-des esp-md5-hmac

mode transport

at both ends.

Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this

R1#ping 30.0.0.1 source 20.0.0.1

!!!!!

I am seeing source and destination IPs to be 10.0.0.1 and 10.0.0.2 respec. Why is this so ? 2 questions arise here

1) Why both ends are negotiating tunnel mode instead of transport mode ?

2) Why i am not seeing the original IP header (which again falls to question 1 above )

I am really confused here ? did i misunderstood transport mode ?

2 REPLIES

Re: IPsec in transport mode !

You are not wrong on how transport mode works, however AFAIK transport mode only works for remote access connections, lan to lan does not support transport mode.

New Member

Re: IPsec in transport mode !

Dear Sir, i figured it out !!. If in crypto acls we define only the endpoints IPs then router will negotiate transport mode, if this is not the case then it will always negotiate tunnel mode.

Thanks for the feedback sir :-)

140
Views
0
Helpful
2
Replies