VPN Session Types

Answered Question
Apr 29th, 2010
User Badges:

I'm looking at my ASA logs for VPN connections (%ASA-4-113019 messages). Some of the connections show a session type of "IKE" and others show "IPSecOverNatT". Why would this be? My users are using an IPSec client to connect.


Thanks.

Correct Answer by Jennifer Halim about 7 years 2 months ago

The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.


Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Thu, 04/29/2010 - 14:16
User Badges:
  • Cisco Employee,

The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.


Hope that answers your question.

Actions

This Discussion