The diagram below (Figure 1) depicts this scenario:
Figure 1: IPsec transport mode is for end-to-end communication rather than encryption.
It is important to note that the client workstation is only accessing the public Firewall.cx server and nothing behind it, like a local network.
In our example, data is encrypted between the two endpoints (client and server) using IPsec and whichever other encryption algorithm is chosen. But it differs from IPsec tunnel mode in the way it is encrypted.
With IPsec transport mode, IPsec encrypts the entire original IP packet. However, IPsec must make a copy of the original packet's IP header and place it in front of the new IPsec protected packet in order to make it to the server.
This process is shown clearly in the illustration below:
Figure 1: IPsec transport mode places the IP packet header in front of the new IPsec protected packet
The downside of this method is that the original IP header is exposed 100%. Any hacker who might happen to be monitoring this network traffic can read the information contained within the IP header.
From this example, it is evident that essentially only the “TCP/UDP” and “DATA" sections of the original packet (shown in the IPsec transport mode diagram above) is fully encrypted and not exposed to the public network.
Continue reading this article to learn how to implement IPsec to protect your VPN data.
This was first published in June 2012