RE: IPSec mode transport

From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Wed Mar 06 2002 - 16:51:04 GMT-3

• Next message: Bob Sinclair: "Re: Virtual Links and Backup Interfaces in OSPF"
• Previous message: Paul Borghese: "Re: Virtual Links and Backup Interfaces in OSPF"
• Maybe in reply to: A Yigit Zorlu: "IPSec mode transport"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi,

Important to note the effect of NAT on tunnel and transport mode.
Transport mode is preferred because it reduces the overhead of the
packet. With GRE over IPSec, GRE provides tunneling and IPSec
encryption, so why tunnel tunnelled traffic?

If there is NAT involved, you must use tunnel mode and cannot use
Authentication Header at all (only can use ESP). This is because
transport mode uses the source/destination of the received IP packet as
the src and dst proxy for IPSec, and when the crypto process decrypts a
NAT'ed transport mode traffic, the decrypted src/dst pairs do not match.
AH hashes the entire original packet and attaches it to the payload for
integrity checks, thus NAT breaks this as well.

Regards,
Justin

-----Original Message-----
From: Brian Lodwick [mailto:xpranax@hotmail.com]
Sent: Thursday, 7 March 2002 2:22 a.m.
To: alec_cisco@yahoo.com; ccielab@groupstudy.com
Subject: Re: IPSec mode transport

I was going to go into a bunch of junk, but it might just be better to
say
you can use tunnel or transport mode when using a GRE tunnel in
conjunction
with IPSec, but it is recommended you use Transport mode. The reason
being
there is no reason to have IPSec add an additional IP header when GRE
has
done it.
It would probobaly help to take the time to review how a packet looks
after
transport mode and after tunnel mode.
One last thing. No matter if you are using tunnel or transport mode you
always have to add the crypto map to the virtual as well as the physical

interface.

>>>Brian

>From: "A Yigit Zorlu" <alec_cisco@yahoo.com>
>Reply-To: "A Yigit Zorlu" <alec_cisco@yahoo.com>
>To: <ccielab@groupstudy.com>
>Subject: IPSec mode transport
>Date: Wed, 6 Mar 2002 13:13:35 +0200
>
>Hi group,
>
>
>crypto ipsec transform-set VPN esp-des esp-sha-hmac
> mode transport ! (optional - but recommended since your GRE
tunnel
>provides tunnelling)
>
>Do I have to put this ? I remember I have made it working a couple of
>scenarios IPSec over Tunnel . I both enabled crypto map in the tunnel
>interface and serial. then it worked.
>
>When do I need this mode transport cmd ?
>
>Regards,
>
>Yigit
>
>
>
>

• Next message: Bob Sinclair: "Re: Virtual Links and Backup Interfaces in OSPF"
• Previous message: Paul Borghese: "Re: Virtual Links and Backup Interfaces in OSPF"
• Maybe in reply to: A Yigit Zorlu: "IPSec mode transport"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:55 GMT-3