A systems administrator is configuring secure block-level replication between two Windows Server hosts that are located in separate data centers and communicate only across the public Internet. The security policy specifies that the replication data must be encrypted in transit, that intermediate routers must still be able to read the original IPv4 source and destination addresses for QoS classification, and that no additional IP headers should be introduced that could lower the path-MTU.
Which of the following methods BEST meets these requirements?
Create a GRE tunnel secured by IPsec operating in tunnel mode
Configure IPsec with ESP in tunnel mode between the two sites
Establish a TLS 1.3 VPN that encapsulates the replication traffic in UDP
Configure IPsec with ESP in transport mode between the two hosts
IPsec using Encapsulating Security Payload (ESP) in transport mode encrypts only the payload of each IP packet. The original IP header remains intact and visible to intermediate devices, so QoS and normal routing still work, and no new outer IP header is added. This design therefore provides end-to-end encryption of replication traffic while meeting the header-visibility and MTU constraints.
In tunnel mode, IPsec encapsulates the entire original packet and adds a new IP header, violating the "no additional headers" stipulation. TLS/SSL-based VPNs and GRE-over-IPsec solutions also wrap the traffic in new transport or tunnel headers, likewise preventing routers from seeing the original addresses and potentially reducing the effective MTU.