ESP can protect network traffic in two fundamentally different ways, each suited to different network architectures and security requirements. Transport mode protects only the payload of IP packets, preserving the original IP addresses for routing. Tunnel mode encapsulates entire IP packets within new IP packets, hiding the original endpoints and enabling gateway-to-gateway VPNs.

Choosing the correct mode is not merely a configuration detail—it determines what gets protected, who can see endpoint addresses, how packets traverse NAT devices, and ultimately whether ESP provides the security properties your deployment requires.

This page explores both modes in depth, explaining their packet structures, typical deployment scenarios, security implications, and the factors that should guide your mode selection.

Transport mode is the simpler of the two ESP modes, designed for end-to-end protection between two hosts. In transport mode, ESP protects only the upper-layer protocol (TCP, UDP, ICMP, etc.) while leaving the original IP header intact and visible.

Transport Mode Packet Structure:

Original Packet:  [IP Header][TCP/UDP Header][Payload Data]
                             \_________________________________/
                                        Protected by ESP

ESP Transport:    [IP Header][ESP Header][IV][TCP/UDP Header][Payload][ESP Trailer][ICV]
                             \__________________________________________________/
                                              Encrypted

Key Characteristics:

1. Original IP header preserved: Source and destination addresses visible
2. ESP inserted after IP header: Between IP and upper-layer protocol
3. IP Protocol field changed: Original protocol number (TCP=6, UDP=17) replaced with ESP (50)
4. Original protocol in Next Header: Upper-layer protocol identified in ESP trailer
5. Minimal overhead: Only ESP header, trailer, and ICV added

Transport Mode Use Cases:

1. Host-to-Host Protection: Direct security between two endpoints (e.g., server to server within a data center)

2. L2TP/IPSec: Layer 2 Tunneling Protocol uses transport mode ESP to encrypt L2TP packets

3. Application-Level VPNs: Protecting specific application traffic between known hosts

4. Same-Subnet Encryption: Encrypting traffic on shared network segments

Limitations:

• Endpoint addresses visible: Observers know who is communicating
• NAT problematic: Works only with NAT-Traversal encapsulation
• Not for gateway-to-gateway: Can't hide internal network addresses
• Both endpoints must support ESP: No transparent proxy possible

Tunnel mode is the more common ESP mode, designed for network-to-network or host-to-network VPNs. In tunnel mode, ESP encapsulates the entire original IP packet—including its IP header—within a new IP packet. The original addresses become hidden (encrypted) inside the ESP payload.

Tunnel Mode Packet Structure:

Original Packet:  [Original IP Header][TCP/UDP Header][Payload Data]
                  \__________________________________________________/
                                 Entire packet becomes ESP payload

ESP Tunnel:       [New IP Header][ESP Header][IV][Original IP][TCP/UDP][Payload][Trailer][ICV]
                                                 \________________________________/
                                                           Encrypted

The "Tunneling" Concept:

Imagine the original IP packet being placed inside an envelope (ESP). That envelope is then given a new address label (outer IP header) for delivery through the postal system (untrusted network). Upon arrival, the recipient opens the envelope to retrieve the original letter (decrypting ESP to recover the inner packet).

Key Characteristics:

1. Complete original packet protection: Inner IP header encrypted along with payload
2. New outer IP header created: Contains VPN endpoint addresses (gateways)
3. Original addresses hidden: Traffic analysis can't determine actual endpoints
4. Gateway-based operation: Typically implemented on network devices, not individual hosts
5. Subnet-to-subnet connectivity: Entire networks connected transparently

Tunnel Mode Use Cases:

1. Site-to-Site VPN: Connecting branch offices through public internet
2. Remote Access VPN: Mobile users connecting to corporate network
3. Cloud Connectivity: On-premises to cloud provider tunnels
4. Network-to-Network: Service provider backbone encryption
5. Traffic Engineering: Tunneling through specific paths for policy reasons

Understanding the differences between transport and tunnel mode requires examining multiple dimensions: packet structure, security properties, performance implications, and deployment flexibility.

Overhead Analysis:

Let's calculate the exact overhead for each mode with AES-256-GCM:

Transport Mode Overhead:

ESP Header:        8 bytes (SPI + Sequence)
IV:                8 bytes (AES-GCM implicit IV)
ESP Trailer:       2-17 bytes (padding + pad_length + next_header)
ICV:               16 bytes (AES-GCM tag)
─────────────────────────────
Total:             34-49 bytes (depending on padding)

Tunnel Mode Overhead:

Outer IP Header:   20 bytes (IPv4) or 40 bytes (IPv6)
ESP Header:        8 bytes
IV:                8 bytes
ESP Trailer:       2-17 bytes
ICV:               16 bytes
─────────────────────────────
Total IPv4:        54-69 bytes
Total IPv6:        74-89 bytes

MTU Considerations:

With a standard 1500-byte MTU:

• Transport mode: ~1450-1465 bytes available for payload
• Tunnel mode (IPv4): ~1430-1445 bytes for original packet
• Tunnel mode (IPv6): ~1410-1425 bytes for original packet

This reduction can cause fragmentation issues if not properly handled.

Network Address Translation (NAT) poses significant challenges for ESP because NAT devices modify IP addresses—which can break security mechanisms. NAT Traversal (NAT-T) solves this by encapsulating ESP packets within UDP, allowing them to pass through NAT devices.

The NAT Problem:

1. ESP is IP protocol 50: NAT devices expect TCP (6) or UDP (17) with port numbers
2. No port numbers in ESP: NAT can't create proper translation entries
3. Address changes: NAT modifies source IP (and port for PAT)
4. Checksum issues: Upper-layer checksums may include IP addresses

NAT-T Solution (RFC 3948):

NAT-T wraps ESP packets in UDP datagrams:

Without NAT-T:  [IP Header (Proto=50)][ESP Header][Encrypted Payload][ICV]
                        ↑
                   NAT can't handle this

With NAT-T:     [IP Header (Proto=17)][UDP Header :4500][ESP Header][Encrypted Payload][ICV]
                                         ↑
                                    NAT-friendly

NAT-T Operation:

1. Detection: During IKE negotiation, peers exchange NAT detection payloads (hashes of addresses and ports)
2. Comparison: Each peer computes expected hash and compares with received hash
3. Mismatch Detection: If hashes don't match, NAT exists on the path
4. UDP Encapsulation: All subsequent ESP packets wrapped in UDP:4500
5. Keepalives: Periodic empty UDP packets maintain NAT state

NAT-T and Modes:

• Tunnel Mode + NAT-T: Works excellently; inner addresses completely hidden from NAT
• Transport Mode + NAT-T: Works but with caveats—TCP/UDP checksums may require fixup

Port 4500:

Port 4500 is the IANA-assigned port for IPSec NAT-T. Both source and destination typically use 4500, though the source may be translated by NAT. The receiver distinguishes IKE from ESP by checking the first 4 bytes:

• Non-ESP Marker (0x00000000): IKE traffic
• Any other value: ESP SPI (first ESP header field)

Selecting the appropriate ESP mode requires analyzing your deployment scenario across multiple dimensions. Use the following criteria to guide your decision.

Decision Factor 1: Endpoint Nature

Who are the IPSec peers?

• Host ↔ Host: Transport mode is natural; both endpoints are the actual communicating applications
• Gateway ↔ Gateway: Tunnel mode required; gateways proxy for entire subnets
• Host ↔ Gateway: Tunnel mode typical (remote access VPN); host needs access to protected subnet

Decision Factor 2: Address Visibility Requirements

Do you need to hide internal addresses?

• Must hide internal topology: Tunnel mode (encrypts original IP addresses)
• Addresses can be visible: Either mode works; transport mode is simpler

Decision Factor 3: NAT Environment

Is NAT present on the path?

• No NAT: Either mode works without NAT-T
• NAT present: NAT-T required; tunnel mode is more robust
• Double NAT: Tunnel mode with NAT-T handles this better

Decision Factor 4: Performance Requirements

• Low-latency critical: Transport mode has less overhead and processing
• High-bandwidth tunnels: Either mode; modern hardware handles both efficiently
• Resource-constrained endpoints: Transport mode consumes less CPU

Decision Factor 5: QoS and Traffic Management

• QoS based on inner packet: Tunnel mode hides inner DSCP; may need outer DSCP copying
• QoS based on tunnel: Either mode; treat all tunnel traffic uniformly
• Traffic visibility for monitoring: Transport mode; inner details visible to network

Decision Factor 6: Routing Complexity

• Direct routing to endpoints: Transport mode simpler
• Overlapping address spaces: Tunnel mode allows address reuse across sites
• Complex multi-site topology: Tunnel mode provides encapsulation flexibility

Successfully deploying ESP requires attention to several implementation details that affect both modes, though with different implications.

MTU and Fragmentation:

ESP overhead reduces the available payload size, potentially requiring fragmentation:

Pre-encryption Fragmentation (Preferred):

• Fragment original packet before encryption
• Each fragment encrypted separately
• Reassembly at receiving host (after decryption)

Post-encryption Fragmentation:

• Encrypt full packet, then fragment ESP packet
• Fragments must be reassembled before decryption
• Requires reassembly at IPSec endpoint (more complex)

Path MTU Discovery (PMTUD):

With tunnel mode, PMTUD can be problematic:

1. ICMP "too big" messages sent to outer addresses (gateways)
2. Gateways must propagate this to inner hosts
3. Some networks filter ICMP, breaking PMTUD

Solutions:

• Configure conservative MTU on tunnel interfaces
• Enable MSS clamping for TCP traffic
• Implement PMTUD relay/proxy at gateways
• Consider DF-bit handling (clear/copy/set)

DSCP/QoS Marking:

In tunnel mode, the inner DSCP is encrypted. Options for outer header:

• Copy inner to outer: Preserve QoS across tunnel (privacy concern)
• Fixed outer marking: All tunnel traffic treated uniformly
• Policy-based marking: Mark based on inner traffic classification (requires inspection)

Routing and Selectors:

IPSec traffic selectors define what traffic enters the tunnel:

• Source/Destination Networks: CIDR ranges for tunnel traffic
• Protocol and Ports: Optional protocol-specific selection
• Per-packet vs Per-SA selection: Policy-based or tunnel-all approaches

Beyond basic mode selection, several advanced scenarios require specialized mode configurations.

Nested Tunnels:

Multiple layers of ESP protection for defense-in-depth:

[Outer IP][ESP₂ Tunnel][Inner IP][ESP₁ Tunnel][Original Packet]

Use cases:

• Transit through untrusted intermediate networks
• Separate protection for different security domains
• DMVPN-style overlays with underlying encryption

Transport within Tunnel:

Host-to-host transport mode inside a gateway tunnel:

[Outer IP][ESP₂ Tunnel][Inner IP][ESP₁ Transport][TCP/Data]

Provides end-to-end encryption on top of site-to-site tunneling.

BEET Mode (Bound End-to-End Tunnel):

A hybrid mode (non-standard, Linux-specific) that:

• Uses transport mode on the wire (less overhead)
• Presents tunnel-mode semantics to applications
• Hides complexity while reducing overhead

Virtual Tunnel Interfaces (VTI):

VTIs provide a routable interface for IPSec tunnels, simplifying configuration:

Traditional Policy-Based:

• Define crypto ACLs matching traffic
• Each ACL entry creates protection
• Complex with multiple subnets

VTI Route-Based:

• Create virtual tunnel interface
• Point routes at tunnel interface
• IPSec protects whatever is routed through VTI
• Simpler, more intuitive, supports dynamic routing

DMVPN (Dynamic Multipoint VPN):

Combines GRE with IPSec for spoke-to-spoke dynamic tunnels:

1. Hub-and-spoke base: All spokes connect to hub
2. NHRP (Next Hop Resolution): Spokes learn spoke addresses
3. Dynamic spoke-to-spoke: Direct tunnels on demand
4. IPSec protection: ESP tunnel mode for all DMVPN traffic

The choice between transport and tunnel mode fundamentally shapes how ESP protects your traffic. Transport mode offers simplicity and efficiency for host-to-host communication, while tunnel mode provides comprehensive protection and flexibility for network-wide VPN deployments.

Module Summary:

You have now completed a comprehensive exploration of ESP—the Encapsulating Security Payload protocol that secures network layer communications across the Internet. From ESP's purpose and design philosophy through packet formats, encryption mechanisms, authentication services, and operational modes, you've gained the deep understanding necessary to implement, configure, and troubleshoot IPSec deployments.

ESP is the foundation of VPN technologies worldwide, protecting everything from corporate site-to-site links to remote worker connections to cloud infrastructure connectivity. This knowledge prepares you to work with real-world IPSec implementations and understand the security guarantees they provide.