IPsec Tunnel vs Transport Mode

IP Security (IPsec) is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices also known as IPsec peers. IPsec has two modes of operation:

Tunnel mode: The entire original IP packet is protected (encrypted, authenticated, or both) in tunnel mode. The packet is then encapsulated by the IPsec headers and trailers. Finally a new IP header is prefixed to the packet, specifying the IPsec endpoints as the source and destination. Tunnel mode is the more common IPsec mode that can be used with any IP traffic. If IPsec is required to protect traffic from hosts behind the IPsec peers, tunnel mode must be used. Virtual private networks (VPNs) make use of tunnel mode where hosts on one protected network send packets to hosts on a different protected network via a pair of IPsec peers such as Cisco routers. In this scenario, the IPsec peers tunnel the protected traffic between the peers while the hosts on the protected networks are the actual session endpoints. Tunnel Mode is configured under a “Transform Set” as we will see below.

Transport mode: Only the payload or data of the original IP packet is protected (encrypted, authenticated, or both) in transport mode. The protected payload is then encapsulated by the IPsec headers and trailers while the original IP header remains intact and is not protected by IPsec. Transport mode is used only when the IP traffic to be protected has IPsec peers as both the source and destination. For example, you could use the transport mode to protect router management traffic. Transport Mode is configured under a “Transform Set” as we will see below.

Figure 1 Configuring IPsec Tunnel vs Transport

ipsec tunnel vs transport

Please refer to the topology where two Cisco routers R1 and R2 are configured to send protected traffic across an IPsec tunnel. The two routers are connected over a Frame Relay connection the configuration of which is not included in this tutorial. Each router also has a FastEthernet interface where end systems reside. The traffic sent and received by those end systems will be encrypted when flowing across the IPsec tunnel. This essentially is IPsec in tunnel mode as we defined earlier in the tutorial.

We start our IPsec configuration with Internet Security Association and Key Management Protocol (ISAKMP), which is a framework for authentication and key exchange. Cisco uses a derivative of ISAKMP known as Internet Key Exchange (IKE). IKE is used to establish a shared security policy and authenticated keys for IPsec to use.

Let’s create policy 1 first, specifying that we’ll use MD5 to hash the IKE exchange, DES to encrypt IKE, and pre-shared key for authentication.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#crypto isakmp key MyKey address

Next, we create an IPsec “Transform Set” that we call MySet. We specify Authentication Header (AH) as the authentication protocol and Encapsulating Security Payload (ESP) as the encryption protocol for IPsec. We can also use the mode command in crypto transform configuration mode to set the mode for the VPN to be either tunnel (default) or transport (“transport” setting is used only when the traffic to be protected has the same IP addresses as the IPsec peers).

R1(config)#crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256
R1(cfg-crypto-trans)#mode tunnel

In our example above, we configure the VPN to work in “tunnel” mode. If we wanted to have “transport mode”, the command would be:

R1(cfg-crypto-trans)#mode transport


We now proceed to create a crypto map called MyMap with sequence number 1. A crypto map can have multiple entries with different sequence numbers but we’ll use just one entry. The ipsec-isakmp argument instructs the router that this map is an IPsec map. We also tell the router about its peer once again and also set the security-association lifetime. We also refer to the access list 101 which will be used to match interesting traffic that has to be protected by IPsec.

R1(cfg-crypto-trans)#crypto map MyMap 1 ipsec-isakmp
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set security-association lifetime seconds 190
R1(config-crypto-map)#set transform-set MySet
R1(config-crypto-map)#match address 101

Now we apply our crypto map to the interface that will be sending the encrypted traffic. The interface is a Frame Relay sub-interface that connects to our IPsec peer at the other end. Our address is while our peer is

R1(config-crypto-map)#interface Serial0/0.12 point-to-point
R1(config-if)#crypto map MyMap

And finally we define access list 101 that specifies which traffic will be protected by IPsec.

R1(config)#access-list 101 permit ip

This concludes our IPsec configuration on R1. Let’s now move to R2 and apply IPsec configuration to it just the way we applied to R1.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share


R2(config-isakmp)#crypto isakmp key MyKey address


R2(config)#crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256
R2(cfg-crypto-trans)#mode tunnel


R2(cfg-crypto-trans)#crypto map MyMap 1 ipsec-isakmp
R2(config-crypto-map)#set peer
R2(config-crypto-map)#set security-association lifetime seconds 190
R2(config-crypto-map)#set transform-set MySet
R2(config-crypto-map)#match address 101


R2(config-crypto-map)#interface Serial0/0.21 point-to-point
R2(config-fr-dlci)#crypto map MyMap


R2(config-subif)#router ospf 100
R2(config-router)#network area 0


R2(config-router)#access-list 101 permit ip


This finalizes our basic IPsec configuration in tunnel mode for both R1 and R2.

Let’s now verify if the configuration works as expected. A variety of Cisco IOS show commands are available to confirm that security associations (SAs) are live and interesting traffic is indeed being encrypted.

The show crypto session command verifies that the IKE session is active and R1 is indeed talking to its peer via UDP port 500, the port for IKE.

R1#show crypto session
Crypto session current status
Interface: Serial0/0.12
Session status: UP-ACTIVE
Peer: port 500
IKE SA: local remote Active
IPSEC FLOW: permit ip
Active SAs: 4, origin: crypto map

The show crypto map command verifies our IPsec status.

R1#show crypto map
Crypto Map “MyMap” 1 ipsec-isakmp
Peer =
Extended IP access list 101
access-list 101 permit ip
Current peer:
Security association lifetime: 4608000 kilobytes/190 seconds
PFS (Y/N): N
Transform sets={

Interfaces using crypto map MyMap:


The show crypto ipsec transform-set command verifies our IPsec status and shows that we are indeed using tunnel mode as opposed to transport mode.

R1#show crypto ipsec transform-set
Transform set MySet: { ah-sha-hmac  }
will negotiate = { Tunnel,  },
{ esp-256-aes  }
will negotiate = { Tunnel,  },

The same show commands can be used on R2 to obtain similar results.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>