Transport Mode Versus Tunnel Mode IPsec
Original Packet IP TCP Data
Transport Mode IP
IP IP
ESP
ESP
TCP
TCP
Data
Data
ESP
Tunnel ESP
Mode
Encrypted
Encrypted
Tunnel mode ESP can cause problems when used with Network Address
Translation (NAT). The original TCP or UDP header is encrypted and
hidden, so there are no Layer 4 port numbers for NAT to use. NAT Traversal
detects the existence of a NAT device and adds a UDP header after the
tunnel IP header. NAT can then use the port number in that UDP header.