Hans,
per my understanding, the inherent problem with IPsec transport mode
is lack of second encapsulating IP header. When an IP packet is
fragmented prior to IPsec encapsulation, and then fragmented en-route
after IPsec encapsulation, two IP headers are required to properly
maintain two separate fragmentation states. The outer header maintains
post-IPsec fragmentation and the inner header maintains pre-IPsec
fragmentation.
It is possible to implement extra tunneling layer e.g. GRE or IPIP
under IPsec transport mode header to avoid this issue. This is the way
it's being done with DMVPN, for example. However, per GET VPN nature,
original header preservation dictates simple duplication of IP header
and the use of IPsec transport mode, which allows avoiding the above
mentioned fragmentation issue.
You may find this information in RFC 4301 (Security Architecture for
the Internet Protocol), which was my primary source of information
when I was trying to figure out the answer myself.
HTH
-- Petr Lapukhov, petr_at_INE.com CCIE #16379 (R&S/Security/SP/Voice) Internetwork Expert, Inc. http://www.INE.com Toll Free: 877-224-8987 Outside US: 775-826-4344 2009/11/3 Hans None <acsyao_at_hotmail.com>: > All, > > > > Does anyone know why Cisco GET VPN does not work in IPSEC transport mode? > > > > > > Thanks, > > _________________________________________________________________ > Bing brings you maps, menus, and reviews organized in one place. > http://www.bing.com/search?q=restaurants&form=MFESRP&publ=WLHMTAG&crea=TEXT_M > FESRP_Local_MapsMenu_Resturants_1x1 > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Wed Nov 04 2009 - 00:11:32 ART
This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART