Ipsec transport and tunnel modes – Cisco ASA 5505 User Manual

Page 1392

Advertising
background image

65-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 65 Configuring L2TP over IPsec

Information About L2TP over IPsec/IKEv1

The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the
lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a
300 second lifetime.

IPsec Transport and Tunnel Modes

By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it
becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as
an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts
packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP
datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the
end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects
against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not
the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted,
and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to
each packet and allowing devices on the public network to see the final source and destination of the
packet.

Figure 65-1

illustrates the differences between IPsec tunnel and transport modes.

In order for Windows L2TP and IPsec clients to connect to the ASA, you must configure IPsec transport
mode for a transform set using the crypto ipsec transform-set trans_name mode transport command.
This command is used in the configuration procedure.

With this transport capability, you can enable special processing (for example, QoS) on the intermediate
network based on the information in the IP header. However, the Layer 4 header is encrypted, which
limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport
mode allows an attacker to perform some traffic analysis.

Figure 65-1

IPsec in Tunnel and Transport Modes

IP HDR

23246

Data

Encrypted

Tunnel mode

IP HDR

Data

Encrypted

IPSec HDR

New IP HDR

IP HDR

Data

Transport mode

Data

IPSec HDR

IP HDR

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals