Tutorial

IPsec transport mode: How it works

IPsec transport mode is one of two available IPsec modes. IPsec transport mode is mostly used for end-to-end communications,

    Requires Free Membership to View

rather than encrypting data between two networks across a VPN. An example of end-to-end communication is a client workstation exchanging data with a public server. The client workstation directs its packet to the public server. The public server receives the packet, processes it and sends a response back to the client workstation.

The diagram below (Figure 1) depicts this scenario:

Figure 1: IPsec transport mode is for end-to-end communication rather than encryption.

It is important to note that the client workstation is only accessing the public Firewall.cx server and nothing behind it, like a local network.

In our example, data is encrypted between the two endpoints (client and server) using IPsec and whichever other encryption algorithm is chosen. But it differs from IPsec tunnel mode in the way it is encrypted.

With IPsec transport mode, IPsec encrypts the entire original IP packet. However, IPsec must make a copy of the original packet's IP header and place it in front of the new IPsec protected packet in order to make it to the server.

This process is shown clearly in the illustration below:

Figure 1: IPsec transport mode places the IP packet header in front of the new IPsec protected packet

The downside of this method is that the original IP header is exposed 100%. Any hacker who might happen to be monitoring this network traffic can read the information contained within the IP header.

The IP header information can expose the source and destination IP, plus sensitive information such as the upper layer protocol, like TCP or UDP.

From this example, it is evident that essentially only the “TCP/UDP” and “DATA" sections of the original packet (shown in the IPsec transport mode diagram above) is fully encrypted and not exposed to the public network.

Continue reading this article to learn how to implement IPsec to protect your VPN data.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: