101
0/228
Loading content...
IPSec provides two fundamentally different modes of operation, each designed for distinct network architectures and security requirements. The choice between Transport Mode and Tunnel Mode determines which parts of the IP packet are protected, how the packet is transformed, and what kind of security deployment is possible.
This isn't merely a configuration option—it's an architectural decision that shapes your entire security deployment. Choose incorrectly, and you'll end up with security gaps, routing problems, or unnecessary complexity. Choose correctly, and IPSec seamlessly integrates into your network, providing exactly the protection you need.
The distinction between these modes is one of the most important concepts in IPSec, yet it's frequently misunderstood. We'll examine each mode in depth, trace the exact packet transformations involved, and develop clear guidelines for mode selection.
By the end of this page, you will understand: (1) how Transport Mode protects host-to-host communication, (2) how Tunnel Mode enables gateway-based VPN architectures, (3) the exact packet transformations in each mode, (4) the security implications of each mode, and (5) decision criteria for selecting the appropriate mode.
Transport Mode provides security for the payload of an IP packet while leaving the original IP header mostly intact. It's designed for end-to-end protection between two communicating hosts—the IPSec endpoints are the same as the communication endpoints.
Key Characteristics:
When to Use Transport Mode:
ESP Transport Mode Packet Structure:
When ESP is applied in transport mode, the packet undergoes this transformation:
Original Packet:
| IP Header (20 bytes) | TCP Header (20 bytes) | Application Data |
Protocol = 6 (TCP)
After ESP Transport Mode:
| IP Header (20 bytes) | ESP Header (8 bytes) | TCP Header (20 bytes) | Application Data | ESP Trailer | Auth Tag |
Protocol = 50 (ESP) SPI + Seq# ←────────────── Encrypted ─────────────→
←──────────────────── Authenticated ───────────────────→
Detailed Field Description:
| Field | Size | Description |
|---|---|---|
| Modified IP Header | 20 bytes | Protocol field changed to 50 (ESP). Other fields preserved. |
| ESP Header | 8 bytes | Security Parameter Index (4 bytes) + Sequence Number (4 bytes) |
| Original TCP Header | 20 bytes | Now encrypted (invisible to observers) |
| Application Data | Variable | Encrypted payload |
| ESP Trailer | 2+ bytes | Padding, Pad Length, Next Header (6 for TCP) |
| Auth Tag (ICV) | 16 bytes typical | Integrity Check Value from AEAD or HMAC |
The Protocol Field Transform:
The original IP header's Protocol field indicated the next layer protocol (6 for TCP, 17 for UDP). After ESP encapsulation, this changes to 50 (ESP). The original protocol value moves to the ESP Trailer's 'Next Header' field.
This allows the receiver to:
Transport mode has significant NAT (Network Address Translation) challenges. The IP header's source/destination are authenticated by ESP. If NAT changes these addresses in transit, authentication fails. NAT-Traversal (NAT-T) encapsulates ESP in UDP to work around this, but adds complexity and overhead. Consider tunnel mode if NAT is involved.
AH Transport Mode Packet Structure:
When AH is used in transport mode (authentication only, no encryption):
After AH Transport Mode:
| IP Header (20 bytes) | AH Header (24 bytes) | TCP Header (20 bytes) | Application Data |
Protocol = 51 (AH) SPI + Seq# + ICV ←───────── Authenticated but NOT encrypted ─────────→
AH authenticates:
Mutable fields (TTL, header checksum) are zeroed before authentication calculation and excluded from verification—otherwise, every router decrementing TTL would invalidate the authentication.
Security Implications of Transport Mode:
| Aspect | Status | Notes |
|---|---|---|
| Payload protection | ✅ Protected | TCP/UDP data encrypted and authenticated |
| Source/Dest IPs | ⚠️ Visible | Original addresses exposed (no traffic flow confidentiality) |
| Port numbers | ✅ Protected (ESP) | Encrypted, invisible to observers |
| NAT compatibility | ❌ Poor | Requires NAT-T workaround |
| Intermediate inspection | ❌ Not possible | Firewalls can't inspect encrypted ports |
| Endpoint requirements | Both must support IPSec | End-to-end deployment required |
Tunnel Mode encapsulates the entire original IP packet inside a new IP packet with new headers. It's designed for gateway-to-gateway VPN architectures where security gateways protect traffic between networks—the IPSec endpoints differ from the communication endpoints.
Key Characteristics:
When to Use Tunnel Mode:
ESP Tunnel Mode Packet Structure:
Original Packet (from Host A to Host B):
| Original IP Header | TCP Header | Application Data |
Src: 10.0.1.5
Dst: 10.0.2.7
Protocol: 6 (TCP)
After ESP Tunnel Mode (on the wire between gateways):
| New IP Header | ESP Header | Original IP Header | TCP Header | Data | ESP Trailer | Auth Tag |
Src: 203.0.113.1 (GW_A) ←───────────────────── Encrypted ─────────────────────→
Dst: 198.51.100.1 (GW_B)
Protocol: 50 (ESP) ←────────────────────────── Authenticated ─────────────────────────→
The Double Header Structure:
| Header | Purpose | Contents |
|---|---|---|
| Outer IP Header | Routes packet between gateways | Gateway public IP addresses; Protocol=50 |
| ESP Header | IPSec processing | SPI identifying the SA; Sequence number |
| Inner IP Header | Original routing (encrypted) | Original source/destination hosts |
| Original Payload | The actual data (encrypted) | TCP/UDP + Application data |
| ESP Trailer | IPSec bookkeeping | Padding, Next Header (IP=4) |
| Auth Tag | Integrity verification | AEAD tag or HMAC output |
Traffic Flow:
A key advantage of tunnel mode: end hosts are completely unaware of IPSec. They send normal IP packets to their default gateway; the security infrastructure handles protection transparently. This enables protecting legacy systems, IoT devices, and any equipment that can't implement IPSec directly.
Tunnel Mode and NAT:
Tunnel mode handles NAT more gracefully than transport mode:
This is why tunnel mode is used for remote access VPNs where users connect from behind NAT (home routers, hotel networks, etc.).
AH Tunnel Mode:
While rarely used, AH can also operate in tunnel mode:
| New IP Header | AH Header | Original IP Header | TCP Header | Data |
Src: GW_A SPI+Seq+ICV Src: 10.0.1.5
Dst: GW_B Protocol: 51 Dst: 10.0.2.7
Protocol: 51 ←─────────────────── Authenticated ─────────────────────→
AH provides authentication and integrity but no encryption—the original packet is visible. Still, interior addresses are contained in authenticated (not encrypted) data, providing some topology hiding.
Understanding when to use each mode requires examining multiple factors: overhead, security properties, deployment requirements, and operational considerations.
| Characteristic | Transport Mode | Tunnel Mode |
|---|---|---|
| Protected Scope | Payload only (L4+) | Entire original packet (L3+) |
| Original IP Header | Preserved (modified Protocol field) | Encrypted inside new packet |
| Source/Dest Visibility | Original addresses visible | Only gateway addresses visible |
| Overhead (ESP + Tag) | ~36-52 bytes | ~56-72 bytes (+ 20 byte IP header) |
| MTU Impact | Lower (less encapsulation) | Higher (additional IP header) |
| Endpoint Requirements | Both hosts must implement IPSec | Only gateways need IPSec |
| Legacy Device Support | No—devices must be IPSec-aware | Yes—devices are unaware of IPSec |
| NAT Compatibility | Poor—requires NAT-T workarounds | Better—outer header can be NATed |
| Traffic Flow Confidentiality | None—original addresses exposed | Limited—hides internal topology |
| Common Use Cases | Host-to-host, server clusters | Site-to-site VPN, remote access |
Overhead Analysis:
The overhead difference between modes impacts network performance, especially for small packets.
Transport Mode Overhead:
ESP Header: 8 bytes (SPI + Seq#)
ESP Trailer: 2-16 bytes (padding to block boundary + 2 byte trailer)
Authentication Tag: 16 bytes (typical for GCM-128)
Total: 26-40 bytes
Tunnel Mode Overhead:
Outer IP Header: 20 bytes (IPv4) or 40 bytes (IPv6)
ESP Header: 8 bytes
ESP Trailer: 2-16 bytes
Authentication Tag: 16 bytes
Total: 46-60 bytes (IPv4) or 66-80 bytes (IPv6)
MTU Considerations:
With 1500-byte Ethernet MTU:
For applications generating 1400+ byte packets, tunnel mode may trigger fragmentation or require Path MTU Discovery adjustments. This is particularly relevant for:
Performance Trade-off: Tunnel mode's additional overhead is frequently worth accepting for:
It's possible to apply both modes simultaneously: transport mode for host-to-host authentication inside a tunnel mode VPN. For example, servers might use transport mode for mutual authentication, while traffic crosses a tunnel mode VPN between sites. This provides defense-in-depth but adds complexity and overhead.
Let's examine specific deployment scenarios and the mode selection logic for each:
Scenario: Connect two corporate offices across the public Internet.
Architecture:
Mode Selection: Tunnel Mode
Rationale:
Configuration Concept:
Gateway A Policy:
Traffic from 10.0.1.0/24 to 10.0.2.0/24 → PROTECT
Tunnel endpoints: 203.0.113.1 ↔ 198.51.100.1
ESP with AES-256-GCM, IKEv2 authentication
Gateway B Policy:
Traffic from 10.0.2.0/24 to 10.0.1.0/24 → PROTECT
Tunnel endpoints: 198.51.100.1 ↔ 203.0.113.1
ESP with AES-256-GCM, IKEv2 authentication
Traffic Flow:
Understanding the exact byte-level structure of IPSec packets is essential for troubleshooting, packet analysis, and understanding what firewalls and NAT devices see.
ESP Header Format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Parameters Index (SPI) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Data (variable) |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Padding (0-255 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pad Length | Next Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Integrity Check Value (ICV) (variable) |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field | Size | Purpose |
|---|---|---|
| SPI | 32 bits | Identifies the Security Association. Receiver uses SPI + source IP + protocol to find SA in SAD. |
| Sequence Number | 32 bits (or 64 with ESN) | Monotonically increasing counter for anti-replay protection. |
| Payload Data | Variable | In transport mode: original L4 header + data. In tunnel mode: entire original IP packet. |
| Padding | 0-255 bytes | Aligns payload to encryption block boundary. May include TFC padding for traffic analysis resistance. |
| Pad Length | 8 bits | Number of padding bytes (so receiver knows where padding ends). |
| Next Header | 8 bits | Protocol of the encapsulated packet. Transport: 6 (TCP), 17 (UDP). Tunnel: 4 (IP-in-IP). |
| ICV | Variable (typically 16 bytes) | Authentication tag from AEAD or HMAC. Covers ESP header + encrypted payload. |
Encryption Boundaries:
| IP Header | ESP Header | Payload + Padding + Pad Len + Next Hdr | ICV |
↑___________|_________________________________________|
Not encrypted (ESP header is plaintext)
| IP Header | ESP Header | Encrypted Data | ICV |
↑________________________________________↑
Encrypted portion
| IP Header | ESP Header | Encrypted: Payload + Pad + PL + NH | ICV |
↑_____________|_________________________________________↑
Authenticated portion (includes ESP header)
Key Points:
NAT-Traversal (NAT-T) Encapsulation:
When NAT is detected during IKE negotiation, ESP packets are encapsulated in UDP:
| IP Header | UDP Header | Non-ESP Marker | ESP Packet |
port 4500 (zeros if ESP)
The UDP encapsulation allows NAT devices to translate addresses without breaking ESP authentication (they only modify the outer UDP/IP headers, not the ESP content inside).
When capturing IPSec traffic with Wireshark, you'll see ESP as protocol 50. Without decryption keys, you can view SPI and sequence numbers but not payload. Wireshark can decrypt ESP if you provide the SA keys (Edit → Preferences → Protocols → ESP → ESP SAs). This is invaluable for troubleshooting encryption mismatches.
Selecting the appropriate IPSec mode should follow a systematic decision process. Here's a framework for common scenarios:
Decision Criteria Summary:
| Question | If Yes → | If No → |
|---|---|---|
| Are endpoints legacy/cannot run IPSec? | Tunnel Mode | Continue evaluation |
| Is NAT present without NAT-T support? | Tunnel Mode | Continue evaluation |
| Must internal topology be hidden? | Tunnel Mode | Continue evaluation |
| Is this connecting networks via gateways? | Tunnel Mode | Continue evaluation |
| Is performance/overhead critical? | Consider Transport Mode | Tunnel Mode acceptable |
| Is this direct host-to-host communication? | Transport Mode | Tunnel Mode |
The Default Choice:
When in doubt, Tunnel Mode is the safer default:
Choose Transport Mode only when:
RFC 4301 permits combining modes: e.g., host-to-host transport mode Security Association inside a gateway-to-gateway tunnel mode SA. This provides defense in depth—if the tunnel SA is compromised, the transport SA still protects traffic. However, this doubles processing overhead and configuration complexity. Use only when the additional security layer is genuinely required.
We've examined IPSec's two operational modes in depth. Let's consolidate the key insights:
What's Next:
With a solid understanding of IPSec modes, we now turn to the specific protocols that implement IPSec security services. The next page examines the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols—their formats, capabilities, and the trade-offs between them.
You now understand IPSec's two operational modes: Transport Mode for end-to-end host protection with lower overhead, and Tunnel Mode for gateway-based VPN architectures with greater flexibility. You can trace packet transformations in each mode and select the appropriate mode for common deployment scenarios. Next, we'll explore the AH and ESP protocols that implement these modes.