Which is superior for VPN, transport mode or tunnelling?


When establishing a VPN, is one of these pretty much always the better choice, or are there variables that make it situation dependent?

Answer this Question


3 total
Dr. Rose
Vote Up (13)

Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header.  The new IP header will have the source and destination IP addresses from the tunnel interfaces.

In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.

In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.


Vote Up (12)

Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

"IPSec’s protocol objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality.

As outlined in our IPSec protocol article, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. Analysing the ESP and AH protocols is out of this article’s scope, however you can turn to our IPSec article where you’ll find an in-depth analysis and packet diagrams to help make the concept clear.

IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the requirements and implementation of IPSec."

Vote Up (12)

From an earlier discussion on networking-forum:


"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.


Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere

Ask a question

Join Now or Sign In to ask a question.
The expansion and blurring of the traditional government network environment require federal IT officials to rethink contracting processes and embrace real-time security monitoring.
Open source SDN controller is commercial distribution of OpenDaylight Project code.
Citrix CEO outlines vision for every employee to be able to access everything they need to be productive from anywhere and on any device.
As VMware sells its network virtualization software, it's finding that security is a big driver for adoption.
The enterprise and data center SDN market grew 192% in 2013 and is poised to reach $18 billion by 2018, according to Infonetics Research.
High-end NAS boxes tend to be expensive. QNAP's latest is the most capable in its price range, but it comes with a few caveats.
The signs of fall are beginning to appear: The evenings are a little cooler; leaves are beginning to turn; bulky people are tossing leather spheroids through the air; and VMWare and Parallels are releasing new versions of their Mac virtualization apps.
Mobile computing, OpenStack and containers win, NSX, vCloud Air details too thin at VMware show.
That software-defined networking (SDN) is a coming reality is starting to gain traction in IT security circles, with some vendors arguing it could lead to a level of interoperability in security largely missing at present.

White Papers & Webcasts

See more White Papers | Webcasts