25-20
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
Selecting Tunnel Mode for IKEv1 Transform Sets
When defining an IKEv1 transform set, you must specify which IPsec mode of operation to use—tunnel
mode or transport mode. You can use the AH and ESP protocols to protect an entire IP payload (Tunnel
mode) or just the upper-layer protocols of an IP payload (Transport mode).
In tunnel mode (the default), the entire original IP datagram is encrypted, and it becomes the payload in
a new IP packet. This mode allows a router to act as an IPsec proxy. That is, the router performs
encryption on behalf of the hosts. The source’s router encrypts packets and forwards them along the
IPsec tunnel. The destination’s router decrypts the original IP datagram and forwards it on to the
destination system. The major advantage of tunnel mode is that the end systems do not need to be
modified to enjoy the benefits of IPsec. Tunnel mode also protects against traffic analysis. With tunnel
mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the
tunneled packets, even if they are the same as the tunnel endpoints.
In transport mode, only the IP payload is encrypted, and the original IP headers are left intact. This mode
has the advantage of adding only a few bytes to each packet. It also allows devices on the public network
to see the final source and destination of the packet. However, by passing the IP header in the clear,
transport mode allows an attacker to perform some traffic analysis. For example, an attacker could see
when a company’s CEO sent many packets to another senior executive. However, the attacker would only
know that IP packets were sent; the attacker would not be able to decipher the contents of the packets.
With transport mode, the destination of the flow must be an IPsec termination device.
Note You cannot use transport mode for VPN topologies using regular IPsec or Easy VPN.
Related Topics
Understanding IPsec Proposals, page 25-17
Understanding Crypto Maps, page 25-18
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
Understanding Reverse Route Injection
Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process
for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks
are known as remote proxy identities. Each route is created on the basis of the remote proxy network and
mask, with the next hop to this network being the remote tunnel endpoint. By using the remote VPN
router as the next hop, the traffic is forced through the crypto process to be encrypted.
After the static route is created on the VPN router, this information is propagated to upstream devices,
allowing them to determine the appropriate VPN router to which to send returning traffic in order to
maintain IPsec state flows. This is particularly useful if multiple VPN routers are used at a site to provide
load balancing or failover, or if the remote VPN devices are not accessible through a default route.
Routes are created in either the global routing table or the appropriate virtual route forwarding (VRF)
table.
Note Security Manager automatically configures RRI on devices with High Availability (HA) or on the IPsec
Aggregator when VRF-Aware IPsec is configured. You can also configure RRI on a device’s crypto map
in a remote access VPN. See Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX
7.0+ Devices), page 30-33 and Configuring an IPsec Proposal on a Remote Access VPN Server (IOS,
PIX 6.3 Devices), page 32-3.
In Security Manager, the following options are available for configuring Reverse Route Injection: