Manage Learn to apply best practices and optimize your operations.

IPsec transport mode: How it works

This article explains what virtual private network (VPN) IPsec transport mode is and how it works, using diagrams, illustrations and easy-to-understand language.

IPsec transport mode is one of two available IPsec modes. IPsec transport mode is mostly used for end-to-end communications,...

rather than encrypting data between two networks across a VPN. An example of end-to-end communication is a client workstation exchanging data with a public server. The client workstation directs its packet to the public server. The public server receives the packet, processes it and sends a response back to the client workstation.

The diagram below (Figure 1) depicts this scenario:

IPsec transport mode diagram

Figure 1: IPsec transport mode is for end-to-end communication rather than encryption.

It is important to note that the client workstation is only accessing the public server and nothing behind it, like a local network.

In our example, data is encrypted between the two endpoints (client and server) using IPsec and whichever other encryption algorithm is chosen. But it differs from IPsec tunnel mode in the way it is encrypted.

With IPsec transport mode, IPsec encrypts the entire original IP packet. However, IPsec must make a copy of the original packet's IP header and place it in front of the new IPsec protected packet in order to make it to the server.

This process is shown clearly in the illustration below:

What IPsec transport mode does to IP packets

Figure 1: IPsec transport mode places the IP packet header in front of the new IPsec protected packet

The downside of this method is that the original IP header is exposed 100%. Any hacker who might happen to be monitoring this network traffic can read the information contained within the IP header.

The IP header information can expose the source and destination IP, plus sensitive information such as the upper layer protocol, like TCP or UDP.

From this example, it is evident that essentially only the “TCP/UDP” and “DATA" sections of the original packet (shown in the IPsec transport mode diagram above) is fully encrypted and not exposed to the public network.

Continue reading this article to learn how to implement IPsec to protect your VPN data.

This was last published in June 2012

Dig Deeper on WAN technologies and services