Cisco Systems ASA5515K9, ASA 5500 IPsec Transport and Tunnel Modes

65-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter65 Configuring L2TP over IPsec

Information About L2TP over IPsec/IKEv1

The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the

lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a

300 second lifetime.

IPsec Transport and Tunnel Modes

By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it

becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as

an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts

packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP

datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the

end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects

against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not

the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted,

and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to

each packet and allowing devices on the public network to see the final source and destination of the

packet. Figure 65-1 illustrates the differences between IPsec tunnel and transport modes.

In order for Windows L2TP and IPsec clients to connect to the ASA, you must configure IPsec transport

mode for a transform set using the crypto ipsec transform-set trans_name mode transport command.

This command is used in the configuration procedure.

With this transport capability, you can enable special processing (for example, QoS) on the intermediate

network based on the information in the IP header. However, the Layer4 header is encrypted, which

limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport

mode allows an attacker to perform some traffic analysis.

Figure65-1 IPsec in Tunnel and Transport Modes

IP HDR

23246

Data

Encrypted

IP HDR Data

Encrypted

IPSec HDRNew IP HDR

IP HDR Data

DataIPSec HDRIP HDR