Time to drill into understanding the difference between the two. I can't understand why people are saying that in AH transport mode that "it just adds an AH header after the IP header", but in tunnel mode "we add a new IP header on top of the original IP packet. This could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet" . Ok so I labbed it up as per below, and used transport mode. :
(R1) .1-----13.0.0.0/24------.2 (R2) .2-------23.0.0.0/24-------- .3 (R3)
Note: for testing, I've confugred # ip telnet source-interface lo0 on R1. Tunnel runs between R1-R3.
##Configs R1# ip access-list extended TEST permit ip host 1.1.1.1 host 3.3.3.3 ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key TEST address 23.0.0.3 crypto isakmp peer address 23.0.0.3 crypto ipsec transform-set TEST ah-sha-hmac mode transport crypto map test 1 ipsec-isakmp set peer 23.0.0.3 set transform-set TEST match address TEST ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 interface GigabitEthernet1/0 ip address 12.0.0.1 255.255.255.0 crypto map test R3# ip access-list extended TEST permit ip host 3.3.3.3 host 1.1.1.1 ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key TEST address 12.0.0.1 crypto isakmp peer address 12.0.0.1 crypto ipsec transform-set TEST ah-sha-hmac mode transport crypto map test 1 ipsec-isakmp set peer 12.0.0.1 set transform-set TEST match address TEST ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 interface FastEthernet0/0 ip address 23.0.0.3 255.255.255.0 crypto map test I sent a telnet packet from the source of lo0 on R1 to lo0 on R3, and took a capture as shown in the link below:
So yes, the AH is inserted after the IP header, and the idea of AH is that it authenticates/verifies interity of data behind that. But.. In my capture, I still have another IP header, which aparently is supposed to only be there with tunnel mode. Ok, so then what is the difference between transport and tunnel mode. I will enable tunnel mode and capture another telnet session:
R1(config)#crypto ipsec transform-set TEST ah-sha-hmac R1(cfg-crypto-trans)# mode tunnel ! R3(config)#crypto ipsec transform-set TEST ah-sha-hmac R3(cfg-crypto-trans)# mode tunnel ! R1(cfg-crypto-trans)#end R1#clear cry isa R1#telnet 3.3.3.3 The capture for this telnet session is in the screenshot below:
If you compare the two screenshots, you will see that they have the same headers in both. Thus, I can't see the difference between tunnel and transport mode. Can someone explain?
Given that the internet says in transport mode another IP header (the inner header) is not added (as its a feature of tunnel mode), I was expecting the communication to fail because its not supported. I expected that transport mode would just be useful when speaking between direct public IP endpoints, as it doesn't add the necessary inner IP header to communicate the internal private RFC1918 traffic on either end. However this is not the case. In transport mode, it does add another IP header, and you can still communicate/operate in the way that is described in tunnel mode. Thus I now don't understand the difference between the two.
No comments:
Post a Comment