Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I psec tunnel vs transport mode


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

I psec tunnel vs transport mode

  1. 1. IPsec Tunnel vs Transport ModeIP Security(IPsec) is a framework of open standards developed by the InternetEngineering Task Force (IETF). IPsec provides security for transmission of sensitiveinformation over unprotected networks such as the Internet. IPsec acts at thenetwork layer, protecting and authenticating IP packets between participating IPsecdevices also known as IPsec peers. IPsec has two modes of operation:Tunnel mode: The entire original IP packet is protected (encrypted, authenticated, orboth) in tunnel mode. The packet is then encapsulated by the IPsec headers andtrailers. Finally a new IP header is prefixed to the packet, specifying the IPsecendpoints as the source and destination. Tunnel mode is the more common IPsecmode that can be used with any IP traffic. If IPsec is required to protect traffic fromhosts behind the IPsec peers, tunnel mode must be used. Virtual private networks(VPNs) make use of tunnel mode where hosts on one protected network sendpackets to hosts on a different protected network via a pair of IPsec peers such asCisco routers. In this scenario, the IPsec peers tunnel the protected traffic betweenthe peers while the hosts on the protected networks are the actual sessionendpoints. Tunnel Mode is configured under a “Transform Set” as we will see below.Transport mode: Only the payload or data of the original IP packet is protected(encrypted, authenticated, or both) in transport mode. The protected payload isthen encapsulated by the IPsec headers and trailers while the original IP headerremains intact and is not protected by IPsec. Transport mode is used only when theIP traffic to be protected has IPsec peers as both the source and destination. Forexample, you could use the transport mode to protect router management traffic.Transport Mode is configured under a “Transform Set” as we will see below.Figure 1 Configuring IPsec Tunnel vs Transport
  2. 2. Please refer to the topology where two Cisco routers R1 and R2 are configured tosend protected traffic across an IPsec tunnel. The two routers are connected over aFrame Relay connection the configuration of which is not included in this tutorial.Each router also has a FastEthernet interface where end systems reside. The trafficsent and received by those end systems will be encrypted when flowing across theIPsec tunnel. This essentially is IPsec in tunnel mode as we defined earlier in thetutorial.We start our IPsec configuration with Internet Security Association and KeyManagement Protocol (ISAKMP), which is a framework for authentication and keyexchange. Cisco uses a derivative of ISAKMP known as Internet Key Exchange (IKE).IKE is used to establish a shared security policy and authenticated keys for IPsec touse.Let’s create policy 1 first, specifying that we’ll use MD5 to hash the IKE exchange,DES to encrypt IKE, and pre-shared key for authentication.R1>enableR1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.R1(config)#crypto isakmp policy 1R1(config-isakmp)#hash md5R1(config-isakmp)#authentication pre-shareR1(config-isakmp)#crypto isakmp key MyKey address, we create an IPsec “Transform Set” that we call MySet. We specifyAuthentication Header (AH) as the authentication protocol and EncapsulatingSecurity Payload (ESP) as the encryption protocol for IPsec. We can also use themode command in crypto transform configuration mode to set the mode for theVPN to be either tunnel (default) or transport(“transport” setting is used only whenthe traffic to be protected has the same IP addresses as the IPsec peers).R1(config)#crypto ipsec transform-set MySet ah-sha-hmacesp-aes 256R1(cfg-crypto-trans)#mode tunnelR1(cfg-crypto-trans)In our example above, we configure the VPN to work in “tunnel” mode. If we wantedto have “transport mode”, the command would be:
  3. 3. R1(cfg-crypto-trans)#mode transportWe now proceed to create a crypto map called MyMap with sequence number 1. Acrypto map can have multiple entries with different sequence numbers but we’ll usejust one entry. Theipsec-isakmp argument instructs the router that this map is anIPsec map. We also tell the router about its peer once again and also setthe security-association lifetime. We also refer to the access list 101 which will beused to match interesting traffic that has to be protected by IPsec.R1(cfg-crypto-trans)#crypto map MyMap 1 ipsec-isakmpR1(config-crypto-map)#set peer security-association lifetime seconds 190R1(config-crypto-map)#set transform-set MySetR1(config-crypto-map)#match address 101Now we apply our crypto map to the interface that will be sending the encryptedtraffic. The interface is a Frame Relay sub-interface that connects to our IPsec peerat the other end. Our address is while our peer is Serial0/0.12 point-to-pointR1(config-if)#crypto map MyMapR1(config-if)#exitR1(config)#And finally we define access list 101 that specifies which traffic will be protected byIPsec.R1(config)#access-list 101 permit ip concludes our IPsec configuration on R1. Let’s now move to R2 and apply IPsecconfiguration to it just the way we applied to R1.R2>enableR2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.R2(config)#crypto isakmp policy 1R2(config-isakmp)#hash md5R2(config-isakmp)#authentication pre-share
  4. 4. R2(config-isakmp)#crypto isakmp key MyKey address ipsec transform-set MySet ah-sha-hmacesp-aes 256R2(cfg-crypto-trans)#mode tunnelR2(cfg-crypto-trans)#crypto map MyMap 1 ipsec-isakmpR2(config-crypto-map)#set peer security-association lifetime seconds 190R2(config-crypto-map)#set transform-set MySetR2(config-crypto-map)#match address 101R2(config-crypto-map)#interface Serial0/0.21 point-to-pointR2(config-fr-dlci)#crypto map MyMapR2(config-subif)#router ospf 100R2(config-router)#network area 0R2(config-router)#access-list 101 permit ip finalizes our basic IPsec configuration in tunnel mode for both R1 and R2.Let’s now verify if the configuration works as expected. A variety of CiscoIOS show commands are available to confirm that security associations (SAs) are liveand interesting traffic is indeed being encrypted.The show crypto session command verifies that the IKE session is active and R1 isindeed talking to its peer via UDP port 500, the port for IKE.R1#show crypto sessionCrypto session current statusInterface: Serial0/0.12Session status: UP-ACTIVEPeer: port 500IKE SA: local remote ActiveIPSEC FLOW: permit ip SAs: 4, origin: crypto map
  5. 5. The show crypto map command verifies our IPsec status.R1#show crypto mapCrypto Map “MyMap” 1 ipsec-isakmpPeer = IP access list 101access-list 101 permit ip peer: association lifetime: 4608000 kilobytes/190 secondsPFS (Y/N): NTransform sets={MySet,}Interfaces using crypto map MyMap:Serial0/0.12The show crypto ipsec transform-set command verifies our IPsec status and showsthat we are indeed using tunnel mode as opposed to transport mode.R1#show crypto ipsec transform-setTransform set MySet: { ah-sha-hmac }will negotiate = { Tunnel, },{ esp-256-aes }will negotiate = { Tunnel, },The same show commands can be used on R2 to obtain similar results.More Related Networking Tips:How to Set Up IPSec Direct Encapsulation on Cisco Devices?How to Configure GRE over an IPSec Tunnel on Routers?How to Configure IPSEC Encryption with the Cisco IOS?