From: Edward Sohn (edwardsohn@yahoo.com)
Date: Wed Nov 20 2002 - 05:58:56 GMT-3
Hunt,
You're going to want to read the Cisco VPN book by Cisco Press. The
book explains very well the differences and the instances where you will
want to use one mode over the other.
I don't have the book handy at the moment, but let me attempt to briefly
explain from memory...
As a general rule, transport is used between end stations and tunnel is
used between gateways (as a proxy for end stations). I also believe
transport mode is used with clients connecting to a VPN concentrator or
the like. For most site-to-site purposes, however, I believe tunnel
mode is standard.
Technologically speaking, transport mode keeps the original IP Header in
tact, and authentication and encryption is performed on the payload by
placing another header after the original IP Header (depending on
whether you're using AH or ESP). Tunnel mode encompasses the original
IP Header and payload and introduces a new IP Header which is
independent of the authenticated or encrypted packet.
It is important to note that AH and ESP have different characteristics
regarding Tunneling and Transporting, as well. For example, AH cannot
utilize NAT in tunnel mode, due to the changing of the source IP
address. It doesn't matter for ESP because the data is encrypted before
the authentication occurs.
Well, that's all I can think of at the moment.
HTH,
Ed
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hunt Lee
Sent: Tuesday, November 19, 2002 11:35 PM
To: 'ccielab@groupstudy.com'
Subject: Tunnel in IPSec network
In an IPSec network, in order to create the Transform-Set, we can use
either tunnel mode (default) or transport mode. my question is: when to
use which? how do we justify which one to use? how do you you compare
these 2 methods in terms of adv vs disadv? Thanks.
Regards,
H.
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:07 GMT-3