<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refsect1 id='description'><title>TRANSPORT MODE</title>

<para>
Openswan's pluto supports use of transport mode connection between two hosts.
</para>

<para>
Transport mode differs from Tunnel mode in that it may only be used between
two hosts, and it carries only a single TCP, UDP, or other protocol between
the two hosts. I.e. only a single web connection is secured, not all of them,
and not all traffic.
</para>

<para>
Transport mode in theory, is supposed to be used between two processes, to
secure just their traffic. This may actually get used in, for instance, NFSv4
or iSCSI. To date, this has not occured on Linux, but it is expected.
</para>

<para>
In practice, Transport mode has been used to carry a different tunnel
protocol, rather than using RFC2003 IP-in-IP. (protocol=4). The most common
use is with Microsoft Windows IPsec stacks, which prefer (for embrace and
extend marketing reasons) to use PPP over L2TP over UDP over IPsec.
</para>

<para>
To configure transport mode between two Linux hosts, one writes a conn such
as:
<quote>
conn east--west-port80
     left=192.1.2.45
     leftprotoport=6/0
     right=192.1.2.23
     rightprotoport=6/80
</quote>
</para>

<para>
When one of the hosts is behind a NAT, there are some complications.
(Assume that left is behind the NAT, and right is the machine with the public IP) 
</para>

<para>
The major one is policy. The SA on the machine with the public IP must be
written with left=%any, and with leftsubnet=%vhost:%priv. This modifies the
policy in a subtle way --- it permits the leftsubnet to be any single host
name that is listed in the virtual_private definition in the "config setup"
section of ipsec.conf.