Question regarding IPsec over TCP

Unanswered Question
Feb 3rd, 2009
User Badges:
  • Bronze, 100 points or more


I've been trying to convert all of our VPN sites to EasyVPN for easy of management etc, but a few of them I have not been able to successfully get working.

My Central ASA5520 is the EasyVPN server and all of the remote firewalls are ASA5505s (7.2(3)-7.2(4)) or PIX501s (various flavors of 6.3(x).

The ones I have not been able to get working are ones that sit behind someone's home router, like a little linksys or D-link or somthing, that doesn't seem to handle NAT-T properly and I'm guessing it has to do with UDP being stateless. Two Questions:

1. Could IPsec over TCP solve this issue

2. If I enable IPsec over TCP on my central firewall, does that impact ALL of the client? I have about 140 connected right now. Or is it similar to NAT-T where it will be used if necessary? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 02/03/2009 - 16:50
User Badges:
  • Cisco Employee,

As far as I know, IPSEC over TCP is only used for vpn clients and not for ezvpn clients who happen to be other ASA devices. In some cases indeed thoes devices D-link and stuff have issues with handling UDP 4500, can you try maybe to leave those sites to use the standard UDP 500/ESP IPSec traffic. In most cases this solves the issue


This Discussion