In tunnel mode, whole IP datagram including IP header is encrypted and new IP header is appended to packet. But in transport mode IP header is not included in encryption and kept as it is. It is said that tunnel mode provides more secrecy as routing information(source, destination addresses) is hidden(encrypted). But my confusion is, what difference does it make when IPSec gateway(in my ipsec is enabled at router) is anyways going to modify ip header for NATing purpose?
Asked
Active
Viewed 2,273 times
1 Answers
0
Without IKE NAT Traversal
If you tunnel it is possible to get through the NAT with an outer header that is modified but dropped during decapsulation. The inner header remains exactly the same as it was when encapsulated and was protected by ESP. This is described in rfc 3715 4.1.
If you use transport mode, you want to use the same IP header as NAT has modified. This is not possible while checking the integrity as this is a violation of integrity as defined for AH.
With IKE NAT Traversal
If Traversal is configured, traffic appears to be on UDP ports (500 or 4500). The traversal manages transport's header integrity problem by substituting back the original IPs. Consequently, both modes should seem much the same, but tunnel has size overhead of keeping a real header and transport has more manipulation to reconstruct a header, so more potential for integrity check failures.
As an example, an unusual IP option can be neatly handled in a way that is hidden from the NAT in tunnel mode, while it may cause compatibility issues being on the packet being routed.
lossleader
- 121
- 4