Learn the key factors to consider when implementing an IPsec VPN, including the differences between tunnel mode and transport mode for encrypting IP packets.
Table of Contents
Question
Which factor must be considered during the implementation of an IPsec VPN?
A. In IPsec tunnel mode, the entire original IP datagram is encrypted.
B. IPsec transport mode increases GRE tunnel security over tunnel mode.
C. In IPsec tunnel mode, only the IP payload is encrypted.
D. IPsec transport mode leaves the Layer 4 header unencrypted for inspection.
Answer
A. In IPsec tunnel mode, the entire original IP datagram is encrypted.
Explanation
When implementing an IPsec VPN, it’s important to understand the differences between the two modes:
Tunnel mode: The entire original IP packet, including both the header and payload, is encrypted and encapsulated inside a new IP packet. This provides the most security as the original packet is fully concealed.
Transport mode: Only the IP payload is encrypted, while the original IP header remains unencrypted. This allows devices to see the source and destination IP addresses for routing.
Therefore, tunnel mode offers more security than transport mode, as it encrypts the entire original packet. Transport mode does not provide additional security for GRE tunnels compared to tunnel mode (eliminating B). The Layer 4 header is part of the IP payload, so it does get encrypted in transport mode (eliminating D).
In summary, when setting up an IPsec VPN, tunnel mode should be used to maximize security by encrypting the entire original IP packet. Transport mode encrypts less information and is not more secure than tunnel mode.
Cisco 200-301 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Cisco 200-301 exam and earn Cisco 200-301 certification.