VPN Client IPSec over UDP doesn't work.

Unanswered Question
Feb 19th, 2009

Hi folks,

I have a Cisco 2811 router with ADSL at a remote site which performs NAT giving users of that site Internet access. We have a Lan to Lan VPN for remote management of that sites hardware which runs on the 2811 to a Cisco 3000 VPN. This all works fine.

Our corporate users when remote use VPN Clients to connect to our network using the same Cisco VPN 3000 Concentrator. However our corporate users who visit this site can only get their VPN clients to work if they select "IPSec over TCP". The client successfully connects on UDP but they can't "see" anything on the network. I have failed to replicate this problem with an 837 router in our test environment (setup same as 2811 with Lan to Lan VPN and NAT).

anyone have any ideas?

I've attached a sh ver, sh conf, a debug of a VPN client at site which failed then successfully worked using TCP and a sh crypto.

The entire network is subnetted into different 10.X.X.X subnets. 172.16.X.X is used for management.

VPN clients receive an address of 10.254.40.X.

Concentrator real IP has been substituted with, real IP of 2811 ADSL router has been substituted with

There are 3 dialers but we're only using dialer 1 for now, I will be applying OER later once I get this problem fixed.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lmailloux-cri Fri, 02/20/2009 - 07:14

It has been a while since I've worked on a 3000, but have you enabled NAT-T (NAT Traversal) on the Concentrator? You may also need to open udp port 4500.

d.hodgson Sun, 02/22/2009 - 15:37


yes NAT-T is enabled on the concentrator. This remote site is the only remote site I know of that the VPN Client doesn't work, and the vpn "group" they use is the same VPN "group" for all our remote users who have no problems. The users at the problem site can VPN from any where else, just not from this site.

I've attached the VPN conc config.




This Discussion