Cisco Certified Network Associate (CCNA) Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the Cisco Certified Network Associate (CCNA) Practice Exam. Test your knowledge with our interactive quizzes featuring multiple choice questions, hints, and explanations. Equip yourself for success!

Practice this question and more.


Which IPsec mode encompasses the entire packet and appends its own header?

  1. Transport mode

  2. Tunnel mode

  3. Secure mode

  4. Data mode

The correct answer is: Tunnel mode

Tunnel mode in IPsec is specifically designed to provide a security mechanism for entire IP packets by encapsulating them within a new IP packet. When tunnel mode is used, the original payload and header are encrypted and then wrapped inside a new IP header. This new header addresses the encapsulated packet to its final destination, while the original header remains hidden from potential attacks or eavesdropping. This mode is particularly useful for site-to-site VPNs, where the entire communication between two sites must be secured. In contrast, transport mode only encrypts the payload of the IP packet, leaving the original IP header intact. This means that the sender and receiver's IP addresses remain exposed, which could be a concern for certain applications where full packet privacy is needed. The other options, "Secure mode" and "Data mode," do not refer to actual modes defined within IPsec, which contributes to their inapplicability in this context. Therefore, tunnel mode is the correct choice because it explicitly describes the process of encapsulating and securing the entire original packet.