Which is superior for VPN, transport mode or tunnelling?


When establishing a VPN, is one of these pretty much always the better choice, or are there variables that make it situation dependent?

Answer this Question


3 total
Vote Up (4)

Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

"IPSec’s protocol objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality.

As outlined in our IPSec protocol article, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. Analysing the ESP and AH protocols is out of this article’s scope, however you can turn to our IPSec article where you’ll find an in-depth analysis and packet diagrams to help make the concept clear.

IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the requirements and implementation of IPSec."

Vote Up (4)

From an earlier discussion on networking-forum:


"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.


Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere

Dr. Rose
Vote Up (2)

Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header.  The new IP header will have the source and destination IP addresses from the tunnel interfaces.

In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.

In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.


Ask a question

Join Now or Sign In to ask a question.
VMware started patching its products against the critical Heartbleed flaw that puts encrypted communications at risk, and plans to have updates ready for all affected products by Saturday.
Running Windows XP in a virtual machine is a safe way to continue using it once support ends. Here's how to do just that.
VMware is about to release a new version of its Horizon VDI (virtual desktop infrastructure) software that will allow administrators to manage VDI and non-VDI deployments in a unified manner, by using multiple VMware technologies.
Greenpeace has marked Google, Apple, and Facebook as the cleanest datacentre operators for transparency, policy, efficiency, and advocacy in its most recent Clicking Clean report, published this month.
Citrix has partnered with Google to deliver business-critical Windows apps to Google Chromebooks, and has already pulled in major clients, such as Woolworths.
IBM has won a five-year contract to manage Coca Cola Amatil's (CCA) mission-critical SAP infrastructure on its private Cloud hosted in its Sydney datacenter.
The focus in SDNs and programmable networking is shifting to application policy, an area where vendors can instill their unique architectures and maintain customer dependency.
Hypervisors that virtualize the compute, networking and storage tiers provide a unique platform for enforcing security policies, VMware executives argued this week at Interop.
Amazon Web Services hopes to entice more Hadoop users to its Elastic MapReduce service with new virtual servers, one of which has 262GB of memory and 6.4TB of storage for big-data analytics.
Amazon Web Services' hosted virtual desktops have become generally available, priced from $35, but the company and its competitors have a lot of hurdles to overcome before this sort of technology is widely used by businesses.

White Papers & Webcasts

See more White Papers | Webcasts

Join us: