Configure IPSec transport mode for encrypting host-to-host
supports tunnel mode by default, you can now configure IPSec tunnels to
use transport mode when encrypting
host-to-host communications. Transport mode encrypts only the payload while
retaining the original IP header. You can use transport mode to encrypt the
management traffic with the most secure protocols.
DH-group 20 for Diffie-Hellman (DH) group and perfect forward
Only AES with 256-bit keys in GCM mode.
Certain protocols do not provide payload encryption when exchanging information with other peer.
Some protocols use MD5 authentication between peers, which is no lon4ger adequate
for communication exposed to a public internetwork. By using IPSec, we can protect
the content of management plane protocols. The default setting of IPSec is tunnel
mode, which uses both encryption and authentication to protect a complete site. In
some cases, this is not sufficient to protect management protocol peers since the
cipher used may be independent of the site. Even within a single domain, management
plane data may have to be confidential. In such cases, IPSec in transport mode
enables you to encrypt the management traffic with the most secure protocols.
mode, data within the original IP packet is protected, but not the
IP header. Transport mode sends encrypted traffic directly between
two hosts that have previously established a secure IPSec tunnel.
Transport mode should only be enabled when the device that generates
and protects the packet is also the one that verifies and decrypts
A transport mode process does not create a new
IP header, therefore it is less complex.
While configuring an IPSec tunnel, you can now select the
establish a secure connection. That is, you can select whether to encrypt or
authenticate packets in transport mode or tunnel mode.
between Tunnel and Transport Mode
Encrypts the entire packet, including the IP
header. A new IP header is added to the packet after encryption.
Encrypts only the payload, while the original
IP header is retained.
Tunnel monitoring uses the tunnel interface
Tunnel monitoring automatically uses the IP
address of the physical interface (gateway interface IP address),
and tunnel interface IP address is ignored.
Supports double encapsulation.
No support for double encapsulation.
This mode is commonly used for site-to-site
This mode is commonly used for host-to-host
Important points to remember before enabling
the transport mode:
You can't select transport mode when NAT-T is enabled.
You can't configure an IKE gateway on a loopback interface to an IPSec tunnel with transport
IPSec transport mode does not use proxy ID settings for negotiation. Hence, you
cannot configure a proxy ID in transport mode. If you attempt to configure proxy
ID by any other method, it will be replaced with 0.0.0.0/0 automatically.
You can use transport mode only with an
If you configure a IKE gateway without an IPSec tunnel, by default
IKE negotiates a tunnel mode child security association (SA).
In IPSec transport mode without GRE encapsulation, don't route the user traffic through the
associated tunnel interface. Configure the control protocols (like, BGP peering
sessions) on a physical interface (for example, ethernet1/1) instead of a tunnel
interface. While IPSec tunnel mode for BGP routes works with the tunnel
interface, IPSec transport mode for BGP routes works with the physical interface