FlexVPN Site-to-Site without Smart Defaults

This topic is to discuss the following lesson:

It’s mentioned that the default mode for the transform set is Tunnel.
However the default tunnel mode under the Tunnel interface is GRE unless the tunnel mode ipsec ipv4 is configured under the tunnel interface.
The tunnel interface can then have an ipsec profile applied etc.

Can you clarify how Tunnel mode under transform set is “related” to tunnel mode under Tunnel interface config ?

Hello Ravi

That’s a great question. I’ll do my best to break it down and explain.

The relationship between IPsec tunnel mode under the transform-set configuration and the tunnel interface mode on Cisco routers involves two distinct but interconnected concepts.

IPsec Tunnel Mode refers to how IPsec processes packets. In this mode, the entire original IP packet is encapsulated with a new IP header. This approach is commonly used to secure traffic between different networks or gateways, effectively creating a logical tunnel. When configuring IPsec protection on a GRE tunnel, the mode of operation depends on the outer IP headers. If the GRE tunnel endpoints match the IPsec endpoints, (i.e. the source and destination IP addresses used to establish the GRE tunnel are the same as the source and destination IP addresses used in the IPsec security association (SA)), IPsec operates in Transport mode, encrypting only the payload without adding a new IP header. However, if the endpoints differ, IPsec switches to Tunnel mode, encapsulating the entire packet with a new outer IP header.

On the other hand, Tunnel Interface Mode determines the underlying tunneling protocol used on a Cisco router. By default, Cisco tunnel interfaces use GRE unless explicitly configured otherwise, such as with the tunnel mode ipsec ipv4 command. GRE tunnels always operate in Tunnel mode and do not support Transport mode. In contrast, an IPsec tunnel interface requires explicit mode configuration.

The key relationship between these two concepts lies in how encapsulation is handled. IPsec modes (Tunnel or Transport) dictate how cryptographic processing is applied, while Tunnel Interface Mode defines the base tunneling protocol—either GRE or IPsec. When combining GRE with IPsec, GRE is responsible for encapsulation and always operates in Tunnel mode. IPsec, however, can be applied in Transport mode if the tunnel endpoints match or in Tunnel mode if they differ. This distinction provides flexibility in securing traffic while allowing GRE to support multicast traffic and IPsec to ensure end-to-end encryption.

I hope this has been helpful!

Laz