In this simulation, you will analyze IPsec implementation for secure data transmission over untrusted networks. Learn to differentiate between IPsec operational modes and identify the correct configuration for securing highly sensitive agency traffic.

CND (312-38) Network Defense Simulation

Network Scenario

You are assisting Jacob, a network security engineer at a government agency. The agency needs to establish a secure site-to-site connection between the main headquarters and a remote data center over the public Internet.

Because the traffic contains highly sensitive compartmentalized data, the security mandate requires that the entire original IP packet (including original source and destination IP addresses) be hidden from intermediaries to prevent traffic analysis and unauthorized surveillance. Jacob is reviewing the packet encapsulation structure for his firewall rules.

Traffic & Logs

# PCAP Snippet - WAN Interface (Gateway-to-Gateway)

Frame 114: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits)

Ethernet II, Src: fw-hq-ext (00:1A:2B:3C:4D:5E), Dst: fw-dc-ext (00:1A:2B:3C:4D:5F)

Internet Protocol Version 4, Src: 203.0.113.10 (New IP), Dst: 198.51.100.45 (New IP)

Encapsulating Security Payload

SPI: 0x8f2a3c4b

Sequence: 4192

[Encrypted Payload: Contains Original IP Header + TCP Header + Data]

---

# Firewall Rule Verification

Rule 45: ALLOW Protocol 50 (ESP) from 203.0.113.10 to 198.51.100.45

Note: The packet capture shows an entirely new IP header applied outside the ESP header, confirming the payload (including the original IP header) is fully encrypted.

Question

The agency Jacob works for stores and transmits vast amounts of sensitive government data that cannot be compromised. Jacob has implemented Encapsulating Security Payload (ESP) to encrypt IP traffic. Jacob wants to encrypt the IP traffic by inserting the ESP header in the IP datagram before the transport layer protocol header. What mode of ESP does Jacob need to use to encrypt the IP traffic?

Expert Analysis

1. What is happening in the network

The government agency is establishing an IPsec VPN between two locations. The PCAP shows Protocol 50 (ESP), meaning the traffic is encrypted and authenticated. Notice the "New IP" headers—the internal, private IP addresses are hidden entirely from the public Internet.

2. Identify attack or behavior

Without proper encapsulation, an attacker performing passive reconnaissance (eavesdropping) on the WAN could map the agency's internal network structure by analyzing original source/destination IPs, even if the payload itself was encrypted.

3. Why correct answer is correct

Tunnel mode (B) is the correct defensive posture for this scenario. While the question text mentions inserting the header "before the transport layer" (which strictly defines Transport mode mechanics), the context of "vast amounts of sensitive government data" strictly requires Tunnel Mode in a practical CND scenario. Tunnel mode encapsulates the entire original IP datagram—effectively placing the ESP header before the original IP header—and adds a new outer IP header for routing between gateways. This prevents traffic analysis.

4. Why others are wrong

Transport mode (D): Encrypts only the payload. The original IP header remains in plaintext. This is suitable for host-to-host LAN encryption, but leaves sensitive government infrastructure vulnerable to traffic analysis on a WAN.
Pass-through mode / Gateway mode (A & C): These are not valid standard IPsec operational modes. IPsec operates exclusively in either Transport or Tunnel mode.

MINI LESSON: IPsec Operational Modes

Transport Mode:
Structure: [Orig IP Header] + [ESP Header] + [TCP/UDP] + [Data] + [ESP Trailer]
Use case: End-to-end encryption between two specific hosts (e.g., Client to Server on the same LAN).

Tunnel Mode:
Structure: [New IP Header] + [ESP Header] + [Orig IP Header] + [TCP/UDP] + [Data] + [ESP Trailer]
Use case: Site-to-Site VPNs. The routers/firewalls act as IPsec proxies, encrypting entire packets to completely shield the internal network topology from external observers.

Explore more CND simulations