I am reading up on the IPSec protocol and am a little confused about Tunnel Mode. If Machine A is sending a message to machine B over tunnel X, does the tunnel encrypt only the payload, or the payload and destination IP (Machine B)?
In all diagrams I have seen, it appears encryption will encrypt the payload, but not the destination IP.
This seems odd for a tunnel to do, because it would allow an attacker to identify machines behind a tunnel endpoint. Am I mistaken?
Thanks!
This is the difference between IPsec tunnel-mode and IPsec transport-mode:
with transport-mode, the IP header is not authenticated nor encrypted;
with tunnel-mode, the original IP header is encapsulated in the payload, so it is authenticated and encrypted.