Use of IPsec Tunnel and Transport Modes
IPsec connections should use tunnel mode; if using transport mode, ensure an IP tunnel is used.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2018
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about using a specific method to secure information when it's sent over the internet—like putting it in a secure envelope. Tunnel mode is preferred because it wraps everything up securely. If you don't use it, private information could be exposed, leading to data leaks or breaches.
Why it matters
Using IPsec transport mode without an IP tunnel can expose payload data and leak endpoints, increasing interception risk and causing compliance issues.
Operational notes
Confirm IPsec uses tunnel mode by default; if transport mode is required, ensure an IP tunnel is configured and periodically validate settings in change reviews.
Implementation tips
- IT team should configure network devices to use IPsec tunnel mode for site-to-site communication. This can be done by accessing the device settings and selecting 'tunnel mode' under the IPsec settings to ensure all data is encrypted and both sender and receiver information are hidden.
- System administrators should review current IPsec configurations regularly to ensure they are in tunnel mode. They can do this by logging into the systems and checking the network configuration section specifically for IPsec settings.
- IT security personnel should create a checklist to verify that all virtual private network (VPN) connections use IPsec tunnel mode. Use network management tools to scan and report back on the status of each connection.
- Network operations should plan and conduct training sessions for staff responsible for maintaining IPsec configurations. This involves setting up workshops where practical demonstrations on how to implement and verify settings are conducted.
- Project managers should integrate IPsec tunnel mode checks into new project start-ups that require data transmission over the internet. This involves liaising with IT to ensure that any data movement planned adheres to the tunnel mode use, documented during project initiation.
Audit / evidence tips
-
Ask: the network configuration policy document: Request to see the organisation’s protocol for setting up IPsec connections
Good: policy will explicitly require tunnel mode as the default setting
-
Ask: the document detailing the findings of recent IPsec tunnel mode checks
Good: report will show a high compliance rate with noted exceptions being addressed
-
Ask: training records of the IT staff: Request certificates or attendance records from IPsec configuration training sessions
-
Ask: to see logs of any network configuration changes involving IPsec
-
Ask: system status dashboards: Request access or screenshots of network monitoring tools displaying IPsec configurations
Good: dashboard confirms that connections are consistently in tunnel mode
Cross-framework mappings
How ISM-0494 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.20 | ISM-0494 requires organisations to use IPsec tunnel mode for IPsec connections, and if transport mode is used, to implement an IP tunnel ... | |