Re: IPSec, GRE, and Transport Mode

From: Ahmed Mamoor Amimi (mamoor@xxxxxxxx)
Date: Thu Mar 14 2002 - 10:16:13 GMT-3

• Next message: Maurice Flint: "Re: Failed login message"
• Previous message: Ahmed Mamoor Amimi: "Re: Redistribute connected Question"
• Maybe in reply to: John Neiberger: "IPSec, GRE, and Transport Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
from CCO :
Tunnel Mode

With tunnel mode, the entire original IP packet is protected (encrypted,
authenticated, or both) and is encapsulated by the IPSec headers and
trailers (an ESP header and trailer, an AH header, or both). Then a new IP
header is prefixed to the packet, specifying the IPSec endpoints as the
source and destination.

Tunnel mode can be used with any IP traffic. Tunnel mode must be used if
IPSec is protecting traffic from hosts behind the IPSec peers. For example,
tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one
protected network send packets to hosts on a different protected network via
a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected
traffic between the peers while the hosts on their protected networks are
the session endpoints.

Transport Mode

With transport mode, only the payload (data) of the original IP packet is
protected (encrypted, authenticated, or both). The payload is encapsulated
by the IPSec headers and trailers (an ESP header and trailer, an AH header,
or both). The original IP headers remain intact and are not protected by
IPSec.

Use transport mode only when the IP traffic to be protected has IPSec peers
as both the source and destination. For example, you could use transport
mode to protect router management traffic. Specifying transport mode allows
the router to negotiate with the remote peer whether to use transport or
tunnel mode.

my source is :
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
r_r/srprt4/srdipsec.htm#xtocid197669

hope this help !

-Mamoor

----- Original Message -----
From: John Neiberger <neiby@ureach.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, March 13, 2002 11:32 PM
Subject: IPSec, GRE, and Transport Mode

> I'm looking at an example on CCO that is encrypting a GRE
> tunnel, but this is the first time I've noticed the addition
> of 'mode transport' in the configuration.
>
> I was under the impression that transport mode was for use only
> when the tunnel endpoints were creating the traffic. Does that
> apply here because the router endpoints are creating the GRE
> packets and are therefore the end hosts? That kind of makes
> sense.
>
> What would be the functional different in this case between
> tunnel mode and transport mode? If we're using a GRE tunnel,
> would there be any significant difference? Any gotchas
> regarding either method with GRE?
>
> Thanks,
> John <-- IPsec neophyte

• Next message: Maurice Flint: "Re: Failed login message"
• Previous message: Ahmed Mamoor Amimi: "Re: Redistribute connected Question"
• Maybe in reply to: John Neiberger: "IPSec, GRE, and Transport Mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:08 GMT-3