Feb 15, 2014

Which is superior for VPN, transport mode or tunnelling?

When establishing a VPN, is one of these pretty much always the better choice, or are there variables that make it situation dependent?


Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header.  The new IP header will have the source and destination IP addresses from the tunnel interfaces.

In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.

In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.


Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

"IPSec’s protocol objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality.

As outlined in our IPSec protocol article, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. Analysing the ESP and AH protocols is out of this article’s scope, however you can turn to our IPSec article where you’ll find an in-depth analysis and packet diagrams to help make the concept clear.

IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the requirements and implementation of IPSec."

From an earlier discussion on networking-forum:


"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.


Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere

Answer this