Transport Mode

Transport Mode

Transport mode is used when both communicating peers are hosts. It may also be applied when one peer is a host and the other is a gateway, if that gateway is acting as a host. For example, a router is sending syslog message traffic to a syslog server across the tunnel. For transport mode to work, you need to have routable IP addresses. Transport mode has an advantage of adding less overhead to the original packets.

Transport mode can be configured both with AH and ESP.

  • Transport modeAuthentication Header AH protocol protects the external IP header along with the data payload (see Figure 6-1). It protects all the fields in the header that are not mutable and do not change in transport. The AH header is placed between the IP header and ESP, if present, and other higher-layer protocols.

    Figure 6-1. Showing IP Packet in Transport Mode

  • Transport modeEncapsulating Security Payload In transport mode, the IP payload is encrypted and the original headers are left intact. The ESP header is inserted between the IP header and the upper-layer protocol header (see Figure 6-1). The upper-layer protocols are encrypted and authenticated along with the ESP header. ESP does not authenticate the IP header itself. Figure 6-1 shows an IP packet after applying ESP in transport mode.