IPSEC over UDP vs IPSEC over TCP

m.renaud.vsnl · ‎02-12-2008

Hi, I'm configuring a IPSEC VPN infrastructure with ASA5510 for around 100 concurent Cisco VPN Client and I'm wondering which one of the two IPSEC tunneling technics (IPSEC over UDP or IPSEC over TCP) could be the best for serving my users. I want the solution that will minimize the amount of call received by the helpdesk. Thanks

srue · ‎02-12-2008

just enable NAT-T. There will be no additional configuration needed on the vpn client.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1120836

m.renaud.vsnl · ‎02-12-2008

I already know all this stuff but the real question is the follow: Is it better to use IPSEC over UDP or IPSEC over TCP ? I've seen somewhere that IPSEC over UDP was not compatible with Statefull firewall. I just want to be sure I take the right decision...but the NAT-T is not part of my choice....thanks !!

pciaccio · ‎02-12-2008

A statefull firewall has no means to keep track of a UDP session. All it can do is look at the session and time it out if it sees no traffic for a specified amount of time. As for a TCP session the statefull firewall can reset the session and track its session numbers. That is the only difference between the two. TCP would be the more secure of the two with respect to session observation...