IPSec RA with s/w VPN clients to ASA w/IPSec over TCP

jhosking · ‎03-07-2007

I'm having trouble using IPSec over TCP(port 10000) with Cisco s/w clients coming to an ASA ver 7.2(2). I succeed with IPSec over UDP & I can connect ok with a telnet to port 10000. But when I use the VPN client set for IPSec over TCP, I don't get the credentials panel for submitting user and passwd. I do have the isakmp ipsec-over-tcp port 10000 statement. What am I missing?

kaachary · ‎03-07-2007

Hi,

What do you mean by you are able to connect on tcp port 10000 using telnet ?

Is there any port forwarding configured on ASA's outside interface for tcp port 10000 ?

Do you have "ipsec over tcp" selected on client software as well ?

-Kanishka

jhosking · ‎03-08-2007

Thanks for your reply. If I open a command prompt window on the client and type "telnet ASA_public_address 10000" I get a connection established--this means that the ASA is "listening" on port 10000 as it should be. No port forwarding is configured. ipsec over tcp is enabled/selected on the client. When I select ipsec-over-udp, everything works. I also have the statement isakmp tcp-over-tcp port 10000.

Jon

kaachary · ‎03-08-2007

Hi,

Try disabling XP SP2 firewall, and then connect on IPsec over TCP.

-Kanishka

jhosking · ‎03-08-2007

Kanishka,

That did it. Thank You.

Jon

kaachary · ‎03-09-2007

You're welcome.

If in case you do not want to disable the sp2 firewall, you can create the exception rules in the sp 2 firwall for tcp 10000. Pl,eas take a look:

http://ict.cas.psu.edu/training/howto/comm/vpn403-xpsp2.htm#2

*Please rate if helped.

-Kanishka