Understanding IPsec VPN Modes
The following two modes determine how traffic is exchanged in the VPN:
Tunnel Mode—This mode encapsulates the original IP packet within another packet in the VPN tunnel. This is most commonly used when hosts within separate private networks want to communicate over a public network. Both VPN gateways establish the VPN tunnel to each other, and all traffic between the two gateways appears to be from the two gateways, with the original packet embedded within the exterior IPsec packet.
Transport Mode—This mode does not encapsulate the original packet in a new packet, as tunnel mode does; rather, transport mode sends the packet directly between the two hosts that have established the IPsec tunnel.
Tunnel mode is the most common VPN mode on the Internet because it easily allows entire networks (particularly those with private address space) to communicate over public IP networks. Transport mode is primarily used when encrypting traffic between two hosts to secure communication where IP address overlap is not an issue (for example, between a host and a server on a private network).