cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
2
Replies

VPN Session Types

snowmizer
Level 1
Level 1

I'm looking at my ASA logs for VPN connections (%ASA-4-113019 messages). Some of the connections show a session type of "IKE" and others show "IPSecOverNatT". Why would this be? My users are using an IPSec client to connect.

Thanks.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.

Hope that answers your question.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

The reason why you are seeing IPSecOverNatT is because there is NAT device in the path between the vpn client and the head end VPN terminating device, and since IPSec Phase 2 is in ESP packet (ie: it is a protocol, therefore it's not a TCP or UDP with port number that can be NATed through a NAT device) hence the ESP packet is encapsulated in either TCP or UDP with port (called NAT-T - NAT Traversal) so it can be NATed through a NAT device.

Hope that answers your question.

Thanks for the explanation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: