Tunnel Mode vs Transport Mode: Which Should You Use?

There are two options for VPN clients. These modes are often transparent to the client, but they are important to understand. An engineer or client may make a mistake in assuming which option is being used. This can lead to frustration and delayed resolution.
This post will focus on tunnel mode and transport mode as they relate to the IPSEC protocol. It is important to remember that Request for Comments (RFCs), which were published in the middle of 1990s, were superseded by newer ones a few years later. This suite of protocols has been updated for IPv6 and has remained stable over time.
What is a VPN?
VPN stands for Virtual Private Network. They were used to protect network traffic between sites or endpoints. Secure means to encrypt the contents so that only the intended parties/sites can view them. This is most commonly used to encrypt connections over the Internet. However, this is not the only purpose. Some organizations require encryption for private circuits like MPLS, VPLS, or Point to Point. They are private connections but they are not encrypted or secured. A VPN is helpful in this regard.
What is Transport Mode?
Transport mode is an option to create a tunnel. This mode is reserved for Point-to Point tunnels. These are the only cases where endpoints need to communicate with one another directly. This may seem absurd in today’s SD-WAN world where full mesh VPN tunnels can be accessed at the touch of a few buttons. But you have to remember how these tunnels were created. Encryption was not as widespread in the mid 1990s as it is today.
Juniper Protocol Independent Routing tunnelsRelated training from SPOTO
Start training. The IP headers are not encrypted. This is a key difference in transport mode. It is the data payload. The data is not encapsulated in tunnel mode. Therefore, headers must be unencrypted to allow routers to see the source and destination and decide how to route them. The original source and destination can be seen by everyone. Although this may not be an issue, it is important to know the difference between tunneling sites and specific endpoints.
Transport Mode 1
Tunneling protocols were used before IPSEC. They were used to connect sites over the internet. These protocols didn’t use encryption, if any. In the early days of the internet, security was quite relaxed. Protocols like L2TP (Layer Two Tunneling Protocol), or Cisco’s GRE [Generic Routing Encapsulation] were available at the time. Although they were very effective at tunneling, their encryption was almost nonexistent.
It was simple to create a tunnel for transport between two sites. It was used to encrypt tunnels already in existence. It allowed organizations to transition to IPSEC without the need to rebuild their tunnels in transport mode. They could use something like GRE to create a tunnel. They just wanted to add encryption to make it more secure. They wouldn’t waste their knowledge on GRE configuration and troubleshooting.
Transport Mode: Use Case 2
Sometimes, only two internet endpoints are required to be encrypted and not entire sites. Transport mode could be used in this case, especially if you don’t care about encrypting IP headers or obscuring original sources and destinations. This works well for two endpoints communicating directly over the internet, especially if the protocol is more or fewer plain text/raw. This is in contrast to modern protocols and applications that may use modern encryption techniques such as TLS.
Transport Mode 3
Point-to-site (P2S), connections may use a transport channel to encrypt connectivity between clients and VPN concentrators in some cases. They may do so because they use a proprietary tunneling protocol, as described above.