Use of IPsec Tunnel and Transport Modes
IPsec connections should use tunnel mode; if using transport mode, ensure an IP tunnel is used.
Plain language
This control is about using a specific method to secure information when it's sent over the internet—like putting it in a secure envelope. Tunnel mode is preferred because it wraps everything up securely. If you don't use it, private information could be exposed, leading to data leaks or breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.
Why it matters
Using IPsec transport mode without an IP tunnel can expose payload data and leak endpoints, increasing interception risk and causing compliance issues.
Operational notes
Confirm IPsec uses tunnel mode by default; if transport mode is required, ensure an IP tunnel is configured and periodically validate settings in change reviews.
Implementation tips
- IT team should configure network devices to use IPsec tunnel mode for site-to-site communication. This can be done by accessing the device settings and selecting 'tunnel mode' under the IPsec settings to ensure all data is encrypted and both sender and receiver information are hidden.
- System administrators should review current IPsec configurations regularly to ensure they are in tunnel mode. They can do this by logging into the systems and checking the network configuration section specifically for IPsec settings.
- IT security personnel should create a checklist to verify that all virtual private network (VPN) connections use IPsec tunnel mode. Use network management tools to scan and report back on the status of each connection.
- Network operations should plan and conduct training sessions for staff responsible for maintaining IPsec configurations. This involves setting up workshops where practical demonstrations on how to implement and verify settings are conducted.
- Project managers should integrate IPsec tunnel mode checks into new project start-ups that require data transmission over the internet. This involves liaising with IT to ensure that any data movement planned adheres to the tunnel mode use, documented during project initiation.
Audit / evidence tips
-
Askthe network configuration policy document: Request to see the organisation’s protocol for setting up IPsec connections
Goodpolicy will explicitly require tunnel mode as the default setting
-
Askthe document detailing the findings of recent IPsec tunnel mode checks
Goodreport will show a high compliance rate with noted exceptions being addressed
-
Asktraining records of the IT staff: Request certificates or attendance records from IPsec configuration training sessions
-
Askto see logs of any network configuration changes involving IPsec
-
Asksystem status dashboards: Request access or screenshots of network monitoring tools displaying IPsec configurations
Gooddashboard confirms that connections are consistently in tunnel mode
Cross-framework mappings
How ISM-0494 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-0494 requires organisations to use IPsec tunnel mode for IPsec connections, and if transport mode is used, to implement an IP tunnel ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.