Ipsec Transport And Tunnel Modes - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
L2TP Overview
IPSec Transport and Tunnel Modes
By default, the security appliance uses IPSec tunnel mode—the entire original IP datagram is encrypted,
and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to
act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source router
encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original
IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that
the end systems do not need to be modified to receive the benefits of IPSec. Tunnel mode also protects
against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not
the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.
However, the Windows 2000 L2TP/IPSec client uses IPSec transport mode—only the IP payload is
encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few
bytes to each packet and allowing devices on the public network to see the final source and destination
of the packet.
Therefore, In order for Windows 2000 L2TP/IPSec clients to connect to the security appliance, you must
configure IPSec transport mode for a transform set using the crypto ipsec transform-set trans_name
mode transport command. This command is the configuration procedure that follows,
L2TP over IPSec Connections" section on page
With this capability (transport), you can enable special processing (for example, QoS) on the
intermediate network based on the information in the IP header. However, the Layer 4 header will be
encrypted, limiting the examination of the packet. Unfortunately, transmitting the IP header in clear text,
transport mode allows an attacker to perform some traffic analysis.
Figure 28-1
Tunnel mode
Transport mode
Cisco Security Appliance Command Line Configuration Guide
28-2
Figure 28-1
illustrates the differences between IPSec Tunnel and Transport modes.
IPSec in Tunnel and Transport Modes
New IP HDR
IPSec HDR
IP HDR
IP HDR
IPSec HDR
Chapter 28
28-3.
IP HDR
Data
Encrypted
IP HDR
Data
Data
Data
Encrypted
Configuring L2TP over IPSec
"Configuring
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
