IPsec transport mode is one of two available IPsec modes. IPsec transport mode is mostly used for end-to-end communications,
rather than encrypting data between two networks across a VPN. An example of end-to-end communication is a client workstation exchanging data with a public server. The client workstation directs its packet to the public server. The public server receives the packet, processes it and sends a response back to the client workstation.
The diagram below (Figure 1) depicts this scenario:
Figure 1: IPsec transport mode is for end-to-end communication rather than encryption.
It is important to note that the client workstation is only accessing the public Firewall.cx server and nothing behind it, like a local network.
In our example, data is encrypted between the two endpoints (client and server) using IPsec and whichever other encryption algorithm is chosen. But it differs from IPsec tunnel mode in the way it is encrypted.
With IPsec transport mode, IPsec encrypts the entire original IP packet. However, IPsec must make a copy of the original packet's IP header and place it in front of the new IPsec protected packet in order to make it to the server.
This process is shown clearly in the illustration below:
Figure 1: IPsec transport mode places the IP packet header in front of the new IPsec protected packet
The downside of this method is that the original IP header is exposed 100%. Any hacker who might happen to be monitoring this network traffic can read the information contained within the IP header.
From this example, it is evident that essentially only the “TCP/UDP” and “DATA" sections of the original packet (shown in the IPsec transport mode diagram above) is fully encrypted and not exposed to the public network.
Continue reading this article to learn how to implement IPsec to protect your VPN data.