Up until now, we've focused on protocols like SSH and HTTPS that protect specific application data. IPsec (Internet Protocol Security) operates at the Network Layer. This means it doesn't care if you're using HTTP, FTP, or a custom binary protocolβit encrypts the entire IP payload, making the network itself the secure boundary.
In Transport Mode, only the payload of the IP packet is encrypted. The original IP header remains intact. This mode is primarily used for host-to-host communication (e.g., a workstation talking to a server) where both endpoints are IPsec-aware. Because the original header is visible, an attacker can still see who is talking to whom, but they cannot see what is being said.
π‘ Transport mode is efficient because it adds less overhead (no extra IP header), but it is useless for connecting two different networks through a gateway.
# Conceptual packet structure: Transport Mode
[ Original IP Header ] [ IPsec Header (ESP/AH) ] [ Encrypted Payload ]The main limitation here is that the packet is only secure if the destination machine is the one that decrypts it. If you try to use Transport Mode across a NAT (Network Address Translation) device, the packet will often be dropped because the IP header is modified, potentially breaking the integrity check.
Tunnel Mode is the backbone of Site-to-Site VPNs. Instead of just encrypting the payload, IPsec wraps the *entire original IP packet* (including the original header) inside a brand new IP packet. This 'packet-within-a-packet' approach hides the internal IP addresses of the source and destination from the public internet.
β οΈ Tunnel mode adds significantly more overhead than Transport mode. This can lead to 'MTU Issues' (Maximum Transmission Unit), where packets are too large for some network hops and are fragmented, causing severe performance degradation.
| Feature | Transport Mode | Tunnel Mode |
|---|---|---|
| Encrypted Part | Payload only | Entire original packet |
| IP Header | Original header visible | New header added |
| Use Case | Host-to-Host | Gateway-to-Gateway (VPN) |
| Overhead | Low | Higher |
| NAT Compatibility | Poor | Better (with NAT-T) |
When architecting a network, the choice depends on the trust boundary. If you are securing traffic between two servers in the same VLAN, Transport mode is sufficient. If you are connecting a branch office in New York to a data center in London over the public internet, Tunnel mode is mandatory to hide the internal network topology.
Never deploy IPsec without a clear understanding of your routing. A misconfigured Tunnel mode can create a 'routing loop' where the VPN tries to encrypt the packet that is carrying the VPN itself.
Verify exercises to earn β 130 XP and unlock next lab level.