Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
1
Replies

IPSEC VPN Works in NAT'ed enviroment, not inPAT'ed

tghinze
Level 1
Level 1

‎04-01-2009 12:38 PM - edited ‎02-21-2020 04:11 PM

We have a 3000 VPN concentrator that we

use to connect remote users to our internal network. It works fine when users originate the connection from behind a device that does NAT. If the users are behind a PAT device they can connect to us (using the Cisco VPN client) and I can

see the TX and RX counters increase on our side but on the client side they typically see the TX counter increment but not the RX counter. On the Concentrator I enabled "IPSEC over NAT-T" and then none could connect. Any ideas?

Labels:
0 Helpful
1 Reply 1

Not applicable

‎04-07-2009 07:35 AM

If IPSec over NAT-T is enabled on the VPN Concentrator, then the VPN Concentrator/VPN Client uses NAT-T mode of UDP encapsulation. NAT-T works by auto-detecting any NAT device between the VPN Client and VPN Concentrator during IKE negotiation. You must ensure that UDP port 4500 is not blocked between the VPN Concentrator/VPN Client for NAT-T to work. Also, if you are using a previous IPSec/UDP configuration that is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a different UDP port. Since NAT-T is an IETF draft, it helps when using multivendor devices if the other vendor implements this standard.

NAT-T works with both VPN Client connections and LAN-to-LAN connections unlike IPSec over UDP/TCP. Also, Cisco IOS® routers and the PIX firewall devices support NAT-T.

0 Helpful
Customers Also Viewed These Support Documents