IPsec in transport mode !

illusion_rox · ‎07-27-2009

Hi all, i was testing site to site vpn. My diagram is simple. I am testing it on GNS3 to observer traffic via wireshark.

R1 is connected to R2 over Fa0/0. R1 has a loopback 20.0.0.1/8 and R2 loopback 30.0.0.1/8. Traffic needs to be encrypted when 20.0.0.1 sends any ip packet to 30.0.0.1 and vice versa. Configuration is standard of Site to site vpn except this

crypto ipsec transform-set aset esp-des esp-md5-hmac

mode transport

at both ends.

Now the issue is, vpn is forming correctly but when i check the debugs and show crypto ipsec sa, i am still seeing mode to be Tunnel !!. In wireshark i can see that when i send ping like this

R1#ping 30.0.0.1 source 20.0.0.1

!!!!!

I am seeing source and destination IPs to be 10.0.0.1 and 10.0.0.2 respec. Why is this so ? 2 questions arise here

1) Why both ends are negotiating tunnel mode instead of transport mode ?

2) Why i am not seeing the original IP header (which again falls to question 1 above )

I am really confused here ? did i misunderstood transport mode ?

Ivan Martinon · ‎07-28-2009

You are not wrong on how transport mode works, however AFAIK transport mode only works for remote access connections, lan to lan does not support transport mode.

meezanbank · ‎07-28-2009

Dear Sir, i figured it out !!. If in crypto acls we define only the endpoints IPs then router will negotiate transport mode, if this is not the case then it will always negotiate tunnel mode.

Thanks for the feedback sir :-)