-1

I am reading up on the IPSec protocol and am a little confused about Tunnel Mode. If Machine A is sending a message to machine B over tunnel X, does the tunnel encrypt only the payload, or the payload and destination IP (Machine B)?

In all diagrams I have seen, it appears encryption will encrypt the payload, but not the destination IP.

This seems odd for a tunnel to do, because it would allow an attacker to identify machines behind a tunnel endpoint. Am I mistaken?

Thanks!

Farhan Yusufzai
  • 297
  • 6
  • 23

1 Answers1

0

Does an IPSec tunnel encrypt the destination IP address?

This is the difference between IPsec tunnel-mode and IPsec transport-mode:

  • with transport-mode, the IP header is not authenticated nor encrypted;

  • with tunnel-mode, the original IP header is encapsulated in the payload, so it is authenticated and encrypted.

Alexandre Fenyo
  • 4,526
  • 1
  • 17
  • 24
  • The mode is only one aspect, it also depends on the protocol (AH does not encrypt the IP header in tunnel mode) and whether encryption is used with ESP (it is optional, so NULL encryption or AES-GMAC may be used, which would not protect the inner IP header in tunnel mode). – ecdsa Sep 20 '17 at 07:11