Site-to-site VPN using UDP?

Answered Question
Mar 14th, 2010

Is possible to create a site-to-site VPN when one end is behind a ISP NAT'ed internet connection using a cisco router?

Specifically IPSEC can use UDP? So far I only managed to do this using OpenVPN.


Regards

Correct Answer by Federico Coto F... about 6 years 11 months ago

Hi,


The site-to-site VPN can be established if you're doing NAT.


ISAKMP is established using UDP port 500 and then the encrypted traffic is encapsulated using ESP.

If it's NAT is not a problem.


If you're using PAT, ESP causes problems because ESP has no layer 4 information and therefore cannot be PATed.

If this is the situation, just use NAT-T so that ESP traffic will be encapsulated in UDP port 4500.


This should work with no problems.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Sun, 03/14/2010 - 09:38

Hi,


The site-to-site VPN can be established if you're doing NAT.


ISAKMP is established using UDP port 500 and then the encrypted traffic is encapsulated using ESP.

If it's NAT is not a problem.


If you're using PAT, ESP causes problems because ESP has no layer 4 information and therefore cannot be PATed.

If this is the situation, just use NAT-T so that ESP traffic will be encapsulated in UDP port 4500.


This should work with no problems.


Federico.

nunojpg00 Mon, 03/15/2010 - 17:03

PAT, sorry. But you explained for all cases. Wonderfull.


Thank you!

Actions

This Discussion