“Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?”
It is an excellent question, and here is the answer. In a site to site IPSec tunnel the “mode transport” setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other IP addresses. When Crypto ACLs include IP addresses beyond of the 2 peer endpoints the “mode transport” setting is ignored, and tunnel mode is negotiated (due to IP addresses, other than the 2 peers, being part of the crypto ACL). There is also an option for the key word “require” after “mode transport” which will prevent the peers from negotiating tunnel mode, and if the IP addresses in the Crypto ACLs are outside of the peers’s own IP addresses, IKE phase 2 will not successfully complete.
One notable exception to this, is GET VPN, where the KS policy of tunnel mode or transport mode will be used by the group members (whichever mode the KS has configured), regardless of the IP addresses used in the KS ACL for policy.
Below is a site to site example. Let’s use the following topology, with R1 and R3 being peers, and a Crypto ACL that says to encrypt all ICMP traffic, regardless of the IP addresses. This Crypto ACL will cause our peers to ignore the mode transport option, and negotiate tunnel mode.
Below are the full configs, some debug output, and show commands to demonstrate that even with transport mode explicitly configured in the transform sets, if the crypto ACLs don’t exclusively include the endpoints of the VPN tunnel, the two peers go ahead and negotiate tunnel mode instead of transport mode. Note the Crypto ACL includes all ICMP from any source to any destination.
First, here is R1: R1#show run!hostname R1!crypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set MYSET esp-aes esp-sha-hmacmode transport!crypto map MYMAP 10 ipsec-isakmpset peer 23.0.0.3set transform-set MYSETmatch address 100!interface FastEthernet0/0ip address 10.0.0.1 255.255.255.0crypto map MYMAP!router ospf 1log-adjacency-changesnetwork 0.0.0.0 255.255.255.255 area 0!!access-list 100 permit icmp any any!endNow for R3 R3#show run!hostname R3!crypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set MYSET esp-aes esp-sha-hmacmode transport!crypto map MYMAP 10 ipsec-isakmpset peer 10.0.0.1set transform-set MYSETmatch address 100!interface FastEthernet0/1ip address 23.0.0.3 255.255.255.0crypto map MYMAP!router ospf 1network 0.0.0.0 255.255.255.255 area 0!access-list 100 permit icmp any any!endR3#Let’s enable debug of crypto isakmp, and send a couple sets of PING requests from R3 to R1 R3#debug crypto isakmpCrypto ISAKMP debugging is onR3#ping 10.0.0.1 source 23.0.0.3 repeat 10Here is the relevant portion of the debug output:
ISAKMP (0:1001): received packet from 10.0.0.1 dport 500 sport 500 Global (I) QM_IDLEISAKMP1001): processing HASH payload. message ID = 1137801467ISAKMP1001): processing SA payload. message ID = 1137801467ISAKMP1001):Checking IPSec proposal 1ISAKMP: transform 1, ESP_AESISAKMP: attributes in transform:ISAKMP: encaps is 1 (Tunnel)ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0SAKMP: authenticator is HMAC-SHAISAKMP: key length is 128ISAKMP1001):atts are acceptable.To verify the tunnel mode is in place, we can look at the details of the SA: R3# show crypto ipsec sainterface: FastEthernet0/1 Crypto map tag: MYMAP, local addr 23.0.0.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) current_peer 10.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 23.0.0.3, remote crypto endpt.: 10.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x96474B70(2521254768) inbound esp sas: spi: 0x59B117E1(1504778209) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4399136/3319) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x96474B70(2521254768) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4399136/3319) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: