Better understanding IPsec modes

pnajm · April 29, 2015, 6:41pm

Can you please explain with configuration on the differences between transport mode and tunnel mode.
i know that in tunnel mode both the ip and payload are encrypted
why not always use tunnel mode?
why use transport mode?
I noticed in ipsec policy if i put the same ip addresses let’s say for a l2tp interface for src-address; dst-address to sa src-address and sa dst-address … both tunnel and transport mode would work.
what is the difference? it is not clear.
what is the template checkbox for?, I noticed that in transport mode if src-address and dst-address are subnets an error pops up but if i check template the error goes away.

can you please clarify on the whole subject.
Thanks

pnajm · May 3, 2015, 7:52am

bump!

TomosRider · May 3, 2015, 12:28pm

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
Here you have nice explanation and some examples of ipsec modes.

pnajm · May 11, 2015, 7:41am

Yes, it is a good article
but can someone please explain why this happens.

I noticed in ipsec policy if i put the same ip addresses let’s say for a l2tp interface for src-address; dst-address to sa src-address and sa dst-address … both tunnel and transport mode would work.
what is the difference? it is not clear.
what is the template checkbox for?, I noticed that in transport mode if src-address and dst-address are subnets an error pops up but if i check template the error goes away.

iBlueDragon · May 12, 2015, 5:05am

Hi,

Did you really get an L2TP connection to work over an IPSec tunnel in tunnel mode? That never worked for me. So I would say the basic differences are:

Tunnel mode:
Can be used if no interface is required. The subnet that can be reached through the tunnel is entered in the field dst-address (xxx.xxx.xxx.xxx/xx) while src-address is your subnet. Routing to the destination subnet should work as soon as the tunnel is up.

Transport mode:
I used transport mode to be able to establish an L2TP connection on top of it. This gives me an interface I can use for policy based routing. When setting up a tunnel in transport mode dst-address cannot be a subnet and therefore additional manual routing entries become necessary in order to be able to reach that subnet.

For the use of the template checkbox please refer to http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
I never used policy groups, so I cannot provide further details or share experience.

Hope that helps.

Kind regards,
iBlueDragon

pnajm · May 12, 2015, 5:57am

Did you really get an L2TP connection to work over an IPSec tunnel in tunnel mode? That never worked for me.

yes i got it to work after i checked the template checkbox, which I don’t understand and that what confused me.
I put /32 addresses in both sa-src and dst and src and dst and i checked tunnel mode and template and it worked.

can someone please explain why.