Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

What is the difference between the Tunnel and Transport modes in ESP?



Article ID: KB5302 KB Last Updated: 23 Jan 2020Version: 6.0

This article provides information about the difference between the Tunnel and Transport modes in ESP.


Information about the difference between the Tunnel and Transport modes in ESP.


Tunnel mode:

  • Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers.
  • It is widely implemented in site-to-site VPN scenarios.
  • NAT traversal is supported with the tunnel mode.
  • Additional headers are added to the packet; so the payload MSS is less.

Transport mode:
  • The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
  • The IPsec Transport mode is implemented for client-to-site VPN scenarios.
  • NAT traversal is not supported with the transport mode.
  • MSS is higher, when compared to Tunnel mode, as no additional headers are required.
  • The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.
Modification History:
2017-12-07: This is a general IPSec KB. Removing ScreenOS tag and modified related product list.
2020-01-23: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search