04-29-2010 11:28 AM
I'm looking at my ASA logs for VPN connections (%ASA-4-113019 messages). Some of the connections show a session type of "IKE" and others show "IPSecOverNatT". Why would this be? My users are using an IPSec client to connect.
Thanks.
Solved! Go to Solution.
04-29-2010 02:16 PM
The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.
Hope that answers your question.
04-29-2010 02:16 PM
The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.
Hope that answers your question.
04-30-2010 06:09 AM
Thanks for the explanation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: