Transport and Tunnel Modes in IPsec
The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The key difference between transport and tunnel mode is where policy is applied. In tunnel mode, the original packet is encapsulated in another IP header. The addresses in the other header can be different.
The packets can be protected by AH, ESP, or both in each mode. The modes differ in policy application, as follows:
In transport mode, the IP addresses in the outer header are used to determine the IPsec policy that will be applied to the packet.
In tunnel mode, two IP headers are sent. The inner IP packet determines the IPsec policythat protects its contents.
Tunnel mode can be applied to any mix of end systems and intermediate systems, such as security gateways.
In transport mode, the IP header, the next header, and anyports that the next header supports can be used to determine IPsec policy.In effect, IPsec can enforce different transport mode policies between twoIP addresses to the granularity of a single port. For example, if the nextheader is TCP, which supports ports, then IPsec policy can be set for a TCPport of the outer IP address.
Tunnel mode works only for IP-in-IP packets. In tunnel mode, IPsec policy is enforced onthe contents of the inner IP packet. Different IPsec policies can be enforced for different inner IPaddresses. That is, the inner IP header, its next header, and the ports that the next headersupports can enforce a policy. Unlike transport mode, in tunnel mode the outer IP header does notdictate the policy of its inner IP packet.
Therefore, in tunnel mode, IPsec policy can be specified for subnetsof a LAN behind a router and for ports on those subnets. IPsec policy canalso be specified for particular IP addresses, that is, hosts, on those subnets.The ports of those hosts can also have a specific IPsec policy. However, ifa dynamic routing protocol is run over a tunnel, do not use subnet selectionor address selection because the view of the network topology on the peernetwork could change. Changes would invalidate the static IPsec policy. For examples of tunneling procedures that include configuring static routes, see Protecting a VPN With IPsec.
In Oracle Solaris,tunnel mode can be enforced only on an IP tunneling network interface. Forinformation about tunneling interfaces, see Chapter 4, About IP Tunnel Administration, in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.2. IPsec policy provides a tunnel keyword to select an IP tunneling networkinterface. When the tunnel keyword is present in a rule,all selectors that are specified in that rule apply to the inner packet.
The following figure shows an IP header with an unprotected TCP packet.
Figure6-3Unprotected IP Packet Carrying TCP Information
In transport mode, ESP protects the data asshown in the following figure. The shaded area shows the encrypted part ofthe packet.
Figure6-4Protected IP Packet Carrying TCP Information
In tunnel mode, the entire packet is inside the ESP header. Thepacket in Figure6–3 is protected in tunnel modeby an outer IPsec header and, in this case, ESP, as shown in the following figure.
Figure6-5IPsec Packet Protected in Tunnel Mode
IPsec policy provides keywords for tunnel mode and transport mode. For more information, review the following:
FAQs
In transport mode, the sending and receiving hosts establish a connection before exchanging data. In tunnel mode, a second IP packet is sent in a completely different protocol. This protects data packets from being inspected or modified in transit.
Which two encryption modes transport mode and mode does IPsec support? ›
IPSec operates in two modes: Transport mode and Tunnel mode. You use transport mode for host-to-host communications. In transport mode, the data portion of the IP packet is encrypted, but the IP header is not. The security header is placed between the IP header and the IP payload.
What are the two modes in which IPsec can be configured to run? ›
Transport mode is often between two devices that want to protect some insecure traffic (example: telnet traffic). Tunnel mode is typically used for site-to-site VPNs where we need to encapsulate the original IP packet since these are mostly private IP addresses and can't be routed on the Internet.
What are the two modes that the IPsec protocol can operate in? ›
In order to authenticate data packets and guarantee their integrity, IPsec includes two protocols. These are the AH (Authentication Header) protocol and the ESP (Encapsulating Security Payload) protocol. Both protocols, in turn, support two encapsulation modes—tunnel mode and transport mode.
Which mode of IPSec should you use? ›
1. Which mode of IPsec should you use to assure the security and confidentiality of data within the same LAN? Explanation: ESP transport mode should be used to ensure the integrity and confidentiality of data that is exchanged within the same LAN.
How does IPSec provide protection in tunnel mode? ›
The IPSec tunnel mode is suitable for transferring data on public networks as it enhances data protection from unauthorized parties. The computer encrypts all data, including the payload and header, and appends a new header to it.
What are the two primary security protocols used by IPSec? ›
IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay services, and the latter encrypts and authenticates data.
What is the difference between IPSec tunnel and VPN? ›
IPsec provides network-layer security, encrypting entire data packets, making it a popular choice for full network communications. On the other hand, SSL VPNs focus on application-layer security, ensuring only specific application data is encrypted. The "more secure" label depends on the context.
What is an example of a tunnel mode? ›
Tunnel mode is most commonly used between gateways (Cisco routers or ASA firewalls), or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it. Another example of tunnel mode is an IPSec tunnel between a Cisco VPN Client and an IPSec Gateway (e.g ASA5510 or PIX Firewall).
Which two methods use IPSec to provide secure connectivity? ›
At the IP layer, IPSec provides secure, remote access to an entire network (rather than just a single device). IPSec VPNs come in two types: tunnel mode. transport mode.
IPSec VPN supports two main modes of authentication: pre-shared key (PSK) and public key infrastructure (PKI). PSK is a simple and common method that uses a secret password or passphrase that both devices share and use to generate encryption keys.
What is IPSec tunnel mode and transport mode? ›
Tunnel Mode provides end-to-end security by encrypting the entire IP packet, while Transport Mode only encrypts the payload of the packet. Another difference is the use case: Tunnel Mode is used for connecting entire networks, while Transport Mode is used for host-to-host communication.
How does transport mode work? ›
Transport Mode is a method of sending data over the Internet where the data is encrypted but the original IP address information is not. The Encapsulating Security Payload (ESP) operates in Transport Mode or Tunnel Mode. In Transport Mode, ESP encrypts the data but the IP header information is viewable.
What is the difference between main mode and aggressive mode in IPSec? ›
Differences between the two ipsec modes:
The main mode requires six messages to be exchanged, while the aggressive mode requires only three messages to be exchanged. 2. The main mode negotiation is more rigorous and secure than the aggressive mode negotiation.
What is tunnel in IPSec? ›
An Internet Protocol Security (IPSec) tunnel is a set of standards and protocols originally developed by the Internet Engineering Task Force (IETF) to support secure communication as packets of information are transported from an IP address across network boundaries and vice versa.
What is the difference between AH and ESP? ›
The main difference between ESP and AH authentication is this: ESP doesn't protect any IP header fields in Transport mode. Both ESP and AH authenticate all IP header fields in Tunnel mode. The AH can be applied alone or together with the ESP when IPSec is in transport mode.
What is the difference between transport mode and tunnel mode in IPSec quizlet? ›
Since a new packet is created using the original information, tunnel mode is useful for protecting traffic between different networks. Transport Mode: The main difference in transport mode is that it retains the original IP header.
