Which is superior for VPN, transport mode or tunnelling?


When establishing a VPN, is one of these pretty much always the better choice, or are there variables that make it situation dependent?

Answer this Question


3 total
Dr. Rose
Vote Up (9)

Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header.  The new IP header will have the source and destination IP addresses from the tunnel interfaces.

In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.

In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.


Vote Up (9)

Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

"IPSec’s protocol objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality.

As outlined in our IPSec protocol article, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. Analysing the ESP and AH protocols is out of this article’s scope, however you can turn to our IPSec article where you’ll find an in-depth analysis and packet diagrams to help make the concept clear.

IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the requirements and implementation of IPSec."

Vote Up (8)

From an earlier discussion on networking-forum:


"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.


Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere

Ask a question

Join Now or Sign In to ask a question.
Big Switch Networks this week is unveiling an SDN controller designed to bring Google-like hyperscale networking to enterprises.
Breaking up is hard to do, but could a split be in store soon for EMC and VMware?
ONUG also forms use case working groups for WANs, overlays and services virtualization.
The latest release of Oracle's software for managing virtual machines offers the same set of features to Sparc users as to those who manage virtual machines on x86 servers.
VMware is for the first time inviting anyone to beta test the next version of vSphere, the company's virtualization platform.
Oracle has just released its Communications Application Orchestrator designed to address the Network Functions Virtualization (NFV) requirements for communications service providers. Virtualized infrastructures are increasingly popular, both in the enterprise and in service provider infrastructures. Oracle's new solution is also designed to work with Oracle Communications Core Session Manager, a solution that helps CSPs virtualize network infrastructures to support NFV efforts.
Pluribus Networks lets Arrow spearhead server/switch hardware sales while it focuses on network hypervisor software.
PLUMgrid brings cloud networking to OpenStack, lands another $16M in funding and wins over Swisscom.
Some developers have turned to MIDI devices, for fun or relief, to write software
As if tracking down bugs in a complex application isn't difficult enough, programmers now must worry about a newly emerging and potentially dangerous trap, one in which a program compiler simply eliminates chunks of code it doesn't understand, often without alerting the programmer of the missing functionality.
Join us: