Which is superior for VPN, transport mode or tunnelling?


When establishing a VPN, is one of these pretty much always the better choice, or are there variables that make it situation dependent?

Answer this Question


3 total
Dr. Rose
Vote Up (12)

Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header.  The new IP header will have the source and destination IP addresses from the tunnel interfaces.

In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.

In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.


Vote Up (11)

Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

"IPSec’s protocol objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality.

As outlined in our IPSec protocol article, Encapsulating Security Payload (ESP) and Authentication Header (AH) are the two IPSec security protocols used to provide these security services. Analysing the ESP and AH protocols is out of this article’s scope, however you can turn to our IPSec article where you’ll find an in-depth analysis and packet diagrams to help make the concept clear.

IPSec can be configured to operate in two different modes, Tunnel and Transport mode. Use of each mode depends on the requirements and implementation of IPSec."

Vote Up (10)

From an earlier discussion on networking-forum:


"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.


Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere

Ask a question

Join Now or Sign In to ask a question.
There's nothing Amazon can have that others can't try to take away, as today's VMworld event sees the introduction of the VMware Workplace Suite -- a combined platform to deploy and manage applications and desktops from the cloud to laptops, smartphones, tablets, or whatever.
VMware has assembled a package that combines its desktop virtualization software with its tools for managing mobile devices, giving administrators a unified suite to manage all of their end-users' application requirements.
Some of the tech industry's biggest and brightest companies, including Google and IBM, have taken to running software in containers, a kind of hyper-compressed way to package up an app and get it running at scale without relying on virtual machines or the software licenses to run and manage them. At the same time, buzz has been building around the OpenStack open source cloud project for years, with customers beginning to talk about replacing at least part of their VMware cloud infrastructure with free-as-in-beer code.
Dell, VMware, and Cumulus Networks intend to accelerate the adoption of network virtualisation and open networking in the software-defined datacentre with the launch of a joint solution at VMworld 2014.
McAfee, part of Intel Security, has made improvements to its Server Security Suites portfolio with the introduction of performance optimisation and additional management efficiency to increase security for servers in physical, virtualised and Cloud environments.
"Brave" is the current watchword for virtualization software giant VMware.
VMware wants to bring enterprise-class reliability to OpenStack by releasing a distribution of cloud hosting software that runs on top of the virtualization stack.
Citrix has updated its virtual desktop and appliance software with a goal of alleviating one of the biggest problems that come with a VDI deployment: Storage.
The latest version of Parallels Desktop brings a host of new features, including increased performance, better integration between guest and host OSes, and support for the forthcoming release of OS X Yosemite.
A year ago VMware laid out an ambitious plan, now it's time to hear the details.