cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
395
Views
0
Helpful
1
Replies

Question regarding IPsec over TCP

rtjensen4
Level 4
Level 4

Hi,

I've been trying to convert all of our VPN sites to EasyVPN for easy of management etc, but a few of them I have not been able to successfully get working.

My Central ASA5520 is the EasyVPN server and all of the remote firewalls are ASA5505s (7.2(3)-7.2(4)) or PIX501s (various flavors of 6.3(x).

The ones I have not been able to get working are ones that sit behind someone's home router, like a little linksys or D-link or somthing, that doesn't seem to handle NAT-T properly and I'm guessing it has to do with UDP being stateless. Two Questions:

1. Could IPsec over TCP solve this issue

2. If I enable IPsec over TCP on my central firewall, does that impact ALL of the client? I have about 140 connected right now. Or is it similar to NAT-T where it will be used if necessary? Thanks.

1 Reply 1

Ivan Martinon
Level 7
Level 7

As far as I know, IPSEC over TCP is only used for vpn clients and not for ezvpn clients who happen to be other ASA devices. In some cases indeed thoes devices D-link and stuff have issues with handling UDP 4500, can you try maybe to leave those sites to use the standard UDP 500/ESP IPSec traffic. In most cases this solves the issue

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: