Re: IPSEC Tunnel vs Transport Mode

• Previous message: Fred Dirkse - OIC Group, Inc.: "RE: Something new?"
• Maybe in reply to: Robin Atler: "IPSEC Tunnel vs Transport Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Apr 2003 08:08:49 -0400 (GMT)
From: Mark Reardon <riscorp@mindspring.com>
To: Robin Atler <ratler@enter.net>, security-basics@securityfocus.com

Tunnel mode normally runs between two routers. The router at each end takes all traffic destined to the other router and sends it into the tunnel. This means that it puts it does all the security work and then puts it in a new IP packet with the remote router's IP address as the destination.

Some people show this with this diagram (NEW IP HDR : secured payload( original IP HDR, IP payload)).

Tunnel mode works well when you are connecting two offices over a non-secure network. The only item exposed is the IP header used to navigate across the non-secure network.

Transport mode is designed to work between two servers. It is represented something like (IP HDR : secured IP payload).

The IP header is left exposed since if you secure it, you just have to duplicate it to get the IP routing to work between the two servers. There is no benefit and it is more efficient to not do it. Since the IP payload is the transport layer, this was called transport mode.

Cisco's issue is that if a router runs IPSec, it needs the internal IP header to finish routing a received packet. The original IP header had the router as the destination. If you are in transport mode, there isn't another header to use. If you are in tunnel mode, the protected header is used.

I hope that helps.

Mark

-------Original Message-------
From: Robin Atler <ratler@enter.net>
Sent: 04/23/03 09:51 AM
To: security-basics@securityfocus.com
Subject: IPSEC Tunnel vs Transport Mode

>
>

I'm setting up a VPN. I've read some documentation that states, rather
generically, that IPSEC tunnels can run in either tunnel or transport
mode. Transport mode simply protects the message contents while tunnel
mode protects the message contents and the original IP headers. I'm using

Cisco gear which says that transport mode only works when the tunnel
endpoints are the conversing devices. This doesn't seem quite right to me

and I don't understand why that would be required. Can anyone explain
that or is paticular behavior this simply a
"cisco-ism"?

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.

The two-day Briefings on May 14-15 features 24 top speakers with no vendor

sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. <a target=_blank
href="http://www.securityfocus.com/BlackHat-security-basics">http://www.securityfocus.com/BlackHat-security-basics>

----------------------------------------------------------------------------

>

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

• Previous message: Fred Dirkse - OIC Group, Inc.: "RE: Something new?"
• Maybe in reply to: Robin Atler: "IPSEC Tunnel vs Transport Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages ISAKMPD between FreeBSD 6.1 and OpenBSD 3.9 ... Does anyone have experience configuring ISAKMPD on FreeBSD? ... problems convincing the FreeBSD box to route traffic through the tunnel. ... A.B.C.D OpenBSD box external IP ... payload: TRANSFORM len: 36 ... (freebsd-questions) PIX Ipsec VPN - SA established, no traffic passes ... Late last night I noticed when I got home I had no access to my office, although both sides indicated that the tunnel was up. ... In the past I have encountered this issue with Openswan where I simply just needed to restart ipsec on and everything would be fine in a matter seconds. ... inbound esp sas: ... payload ... (comp.dcom.sys.cisco) Re: PIX Ipsec VPN - SA established, no traffic passes ... persists where I have an established tunnel, ... Crypto map tag: dyn-map, local addr. ... inbound esp sas: ... payload ... (comp.dcom.sys.cisco) RE: IPSEC Tunnel vs Transport Mode ... IPSEC Tunnel vs Transport Mode ... host A encrypts the content of all packets ... In tunnel mode, the packets *including headers* are encrypted, ... (Security-Basics) RE: IPSEC Tunnel vs Transport Mode ... In transport mode, all that happens is authentication and/or encryption of ... the payload of the packet, the original IP header is still used for the ... original packet gets encapsulated and a new IP header will be build with the ... All VPN Gateways/VPN Capable Firewalls will use Tunnel mode for site-site ... (Security-Basics)