Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
1
Replies

Question regarding IPsec over TCP

rtjensen4
Level 4
Level 4

‎02-03-2009 01:41 PM - edited ‎02-21-2020 04:08 PM

Hi,

I've been trying to convert all of our VPN sites to EasyVPN for easy of management etc, but a few of them I have not been able to successfully get working.

My Central ASA5520 is the EasyVPN server and all of the remote firewalls are ASA5505s (7.2(3)-7.2(4)) or PIX501s (various flavors of 6.3(x).

The ones I have not been able to get working are ones that sit behind someone's home router, like a little linksys or D-link or somthing, that doesn't seem to handle NAT-T properly and I'm guessing it has to do with UDP being stateless. Two Questions:

1. Could IPsec over TCP solve this issue

2. If I enable IPsec over TCP on my central firewall, does that impact ALL of the client? I have about 140 connected right now. Or is it similar to NAT-T where it will be used if necessary? Thanks.

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎02-03-2009 04:50 PM

As far as I know, IPSEC over TCP is only used for vpn clients and not for ezvpn clients who happen to be other ASA devices. In some cases indeed thoes devices D-link and stuff have issues with handling UDP 4500, can you try maybe to leave those sites to use the standard UDP 500/ESP IPSec traffic. In most cases this solves the issue

0 Helpful
Customers Also Viewed These Support Documents