IOS LAN2LAN IPSEC VPN with UDP Encapsulation

Unanswered Question
Mar 22nd, 2010
User Badges:

Is it possible to have a LAN2LAN VPN between 2 Routers but using UDP Encapsulation (NAT Transparency) instead?

I was looking for a quick example but most refer to VPN Client Solution.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Mon, 03/22/2010 - 09:54
User Badges:
  • Silver, 250 points or more

This is the default behavior for IOS based IPSec endpoints.  During the phase 1 negotiation, both devices will identify whether NAT is present in the path between peers and will utilize UDP 4500 encapsulation automatically.

pavlosd Mon, 03/22/2010 - 22:49
User Badges:

I was more looking at the commands that enable or disable this feature? Or I was wondering if you can "force" udp encapsulation even if there is no NAT in the way (for whatever security reason).

I also found the examples below.


Todd Pula Tue, 03/23/2010 - 07:00
User Badges:
  • Silver, 250 points or more

You can disable NAT-T support in IOS using the "no crypto ipsec nat-transparency udp-encapsulation" command.  NAT-T is negotiated between Cisco endpoints and cannot be fixed.  Without NAT-T support, IOS will continue to encap using UDP 500.


This Discussion