IPsec transport mode: How it works

This article explains what virtual private network (VPN) IPsec transport mode is and how it works, using diagrams, illustrations and easy-to-understand language.

IPsec transport mode is one of two available IPsec modes. IPsec transport mode is mostly used for end-to-end communications,

rather than encrypting data between two networks across a VPN. An example of end-to-end communication is a client workstation exchanging data with a public server. The client workstation directs its packet to the public server. The public server receives the packet, processes it and sends a response back to the client workstation.

The diagram below (Figure 1) depicts this scenario:

IPsec transport mode diagram

Figure 1: IPsec transport mode is for end-to-end communication rather than encryption.

It is important to note that the client workstation is only accessing the public Firewall.cx server and nothing behind it, like a local network.

In our example, data is encrypted between the two endpoints (client and server) using IPsec and whichever other encryption algorithm is chosen. But it differs from IPsec tunnel mode in the way it is encrypted.

With IPsec transport mode, IPsec encrypts the entire original IP packet. However, IPsec must make a copy of the original packet's IP header and place it in front of the new IPsec protected packet in order to make it to the server.

This process is shown clearly in the illustration below:

What IPsec transport mode does to IP packets

Figure 1: IPsec transport mode places the IP packet header in front of the new IPsec protected packet

The downside of this method is that the original IP header is exposed 100%. Any hacker who might happen to be monitoring this network traffic can read the information contained within the IP header.

The IP header information can expose the source and destination IP, plus sensitive information such as the upper layer protocol, like TCP or UDP.

From this example, it is evident that essentially only the “TCP/UDP” and “DATA" sections of the original packet (shown in the IPsec transport mode diagram above) is fully encrypted and not exposed to the public network.

Continue reading this article to learn how to implement IPsec to protect your VPN data.

This was first published in June 2012

Dig deeper on VPN setup and configuration

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close