[strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode

Daniel Palomares palomaresdaniel at gmail.com
Fri Feb 20 14:22:24 CET 2015


Hello All,

I have a "basic" question concerning a specific Use-Case.
I have recently discussed with an expert concerning a scenario which he
told me was successfully tested some years ago (not with Strongswan but
with other hardware vendor).

*The description of the topology is the following*: Imagine two domains
that are reachable through their respective gateways, and both gateways are
capable to establish an IPsec tunnel in order to secure traffic between
both domains.
So, ss a first sight, I did think of a typical Site-to-Site scenario where
Subnets are protected by their respective gateways.

However, the expert told me that it is possible to use Transport Mode
instead of Tunnel Mode for this scenario a well.
For this Use Case to happen, the gateways must not encapsulate the entire
IP packets (as Tunnel Mode does) but just need to do the routing task and
cipher the data. It means that the gateways cipher the L4-7 data without
changing the original IP header.
I guess the are some equipments that support this scenarios even though are
not Standardize usage of what Tranpost/Tunnel mode do. Thus, my questions
are:
1. Have anyone seen this Use Case working before? If yes, How/Which
implementation/hardware does so?
2. I know that Transport Mode is used for End-Point to End-Point
communications where data plane is generated from/to end-points. But, Does
StrongSwan support this kind of Site-to-Site communications in Transport
Mode?


Best Regards,
Daniel Palomares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150220/c9dd2d9d/attachment.html>


More information about the Users mailing list