How can IPSec provide confidentiality between two hosts on private networks?

Question

Can you use transport mode with IPsec processing to provide confidentiality between two hosts in geographically separate private IP networks?

I have read somewhere that transport mode is the default mode to use to provide end to end confidentiality using IPsec processing which makes sense when the two end hosts have public IP addresses.

But what if the end hosts have private IP addresses? Surely the "use transport for end to end" doesn't apply in this case as private IP packets from private network X are tunnelled to private network Y?

I'm very confused. My question is...

how can IPsec be used to provide confidentiality for communications between two hosts A and B in geographically separate private IP networks

Answer 1

Let's explain the two modes, how they differ, and clear the air:

Tunnel mode:

1. Protects internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers.
2. Allows for NAT traversal

Transport mode:

3. Transport mode encrypts only the payload and ESP trailer
4. NAT traversal is not supported with the transport mode.

Then there is GRE/L2TP for tunneling. But let's clarify what you mean by confidentiality. On #3, you will notice the bolded term only the payload which means your DATA is confidential. Not your connection information. So define what you mean by confidentiality? Is it the confidentiality of the connection, or the confidentiality of the data? Two separate things to think about it. If you are confused, I suggest reading "Understanding IPSEC Tunnel Mode" Unless you clarify what you mean by "confidentiality" the answers you get may vary.

Answer 2

In VPN tunnelling mode, IPSec can be used to join multiple networks, each with their own private IPs into a single virtual network.

However, you will need a gateway with public IP Address, so the sender knows how to route the encrypted packets to systems that are on a different physical network.

In VPN mode, each packet have two destination addresses. One is the public destination address (the gateway address), used for routing in public network, and the second destination address is the private IP address, used for routing inside the virtual private network. The gateways must have public IP Address to allow packets to be routed to the gateway over public network, but the individual target machines doesn't have to have individual public IP address.

The gateway may also need to translate addresses between multiple private IP addresses (NAT). This may be necessary if your private networks have overlapping addresses. The easiest setup is if you don't actually have any intersection in the private IP address namespace between the different physical networks, then the systems can just send packets to each other using their private IP addresses directly.