IOS LAN2LAN IPSEC VPN with UDP Encapsulation

Unanswered Question
Mar 22nd, 2010

Is it possible to have a LAN2LAN VPN between 2 Routers but using UDP Encapsulation (NAT Transparency) instead?

I was looking for a quick example but most refer to VPN Client Solution.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 03/22/2010 - 09:54

This is the default behavior for IOS based IPSec endpoints.  During the phase 1 negotiation, both devices will identify whether NAT is present in the path between peers and will utilize UDP 4500 encapsulation automatically.

pavlosd Mon, 03/22/2010 - 22:49

I was more looking at the commands that enable or disable this feature? Or I was wondering if you can "force" udp encapsulation even if there is no NAT in the way (for whatever security reason).

I also found the examples below.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

Thanks.

Todd Pula Tue, 03/23/2010 - 07:00

You can disable NAT-T support in IOS using the "no crypto ipsec nat-transparency udp-encapsulation" command.  NAT-T is negotiated between Cisco endpoints and cannot be fixed.  Without NAT-T support, IOS will continue to encap using UDP 500.

Actions

This Discussion