Search

IPsec VPN Modes - Tunnel Mode and Transport Mode

IPSec can be used to create VPN Tunnels to end-to-end IP Traffic (also called as IPSec Transport mode) or site-to-site IPSec Tunnels (between two VPN Gateways, also known as IPSec Tunnel mode).

IPSec Tunnel mode: In IPSec Tunnel mode, the original IP packet (IP header and the Data payload) is encapsulated within another packet. In IPSec tunnel mode the original IP Datagram from is encapsulated with an AH (provides no confidentiality by encryption) or ESP (provides encryption) header and an additional IP header. The IP addresses of the newly added outer IP header are that of the VPN Gateways. The traffic between the two VPN Gateways appears to be from the two gateways (in a new IP datagram), with the original IP datagram is encrypted (in case of ESP) inside IPSec packet.

IPSec Tunnel mode is most widely used to create site-to-site IPSec VPN.

IPSec Tunnel Mode

 

IPSec Tunnel mode encapsulation

IPSec Transport mode: In IPSec Transport mode, only the Data Payload of the IP datagram is secured by IPSec. IP Header is the original IP Header and IPSec inserts its header between the IP header and the upper level headers.

IPSec Transport mode can be used when encrypting traffic between two hosts or between a host and a VPN gateway.

IPSec Transport Mode

IPSec transport mode encapsulation

Note: The data is Encrypted and Authenticated if Encapsulating Security Payload (ESP) is used, or just authenticated if Authentication Header (AH) used.

Related Tutorials