From: Nick Shah (nshah@xxxxxxxxxxxxxx)
Date: Wed Mar 13 2002 - 18:38:20 GMT-3
When using IPSEC in tunnel mode, the original IP header is encrypted. This
is good in a way, since it protects the inside of the network, by encrypting
the original source ip address and dest. ip address. The world can see only
the source and dest. of 2 ipsec peers (not of the communicating devices).
In transport mode, the end user would be initiating the VPN with an IPSEC
terminating device, so the IP address of client would be the address of teh
VPN initiator, exposing the actual ip address to the public.
You can prolly use tunnel mode when providing LAN-2-LAN connectivity,
essentially hiding the addresses of vpn clients.
Dont know of any gotchas, purely functional differences, and can be
justified only in real world.
hth.
Nick
-----Original Message-----
From: John Neiberger <neiby@ureach.com>
To: ccielab@groupstudy.com <ccielab@groupstudy.com>
Date: Thursday, 14 March 2002 6:00
Subject: IPSec, GRE, and Transport Mode
>I'm looking at an example on CCO that is encrypting a GRE
>tunnel, but this is the first time I've noticed the addition
>of 'mode transport' in the configuration.
>
>I was under the impression that transport mode was for use only
>when the tunnel endpoints were creating the traffic. Does that
>apply here because the router endpoints are creating the GRE
>packets and are therefore the end hosts? That kind of makes
>sense.
>
>What would be the functional different in this case between
>tunnel mode and transport mode? If we're using a GRE tunnel,
>would there be any significant difference? Any gotchas
>regarding either method with GRE?
>
>Thanks,
>John <-- IPsec neophyte
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:03 GMT-3