IKE NAT-T

Unanswered Question
Aug 3rd, 2010
User Badges:

I tested from iPad Cisco client using 3G is specifically looking for IKE NAT-T to be enabled to establish the remote VPN tunnel.


My case is as below


I'm using ASA 5520 without IKE NAT-T enable but for IPSEC I have NAT-T enabled for some tunnel and for few not.

Similarly I know IKE NAT-T is globally configured.

I have remote access VPN, Anyconnect and site to site VPN on the same device.

My question is

1.     If I enable IKE NAT-T globally what will happen to the existing Site to Site VPN tunnel? I hope that active tunnel will not disturb but if a new tunnel is trying to negotiate will that have problem.

2.     What will be the implication for creating new site to site tunnel if the IKE NAT-T is enabled?

3.     My entire site to site remote peer is not having the IKE NAT-T enabled.


Regards

BR

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 08/03/2010 - 07:40
User Badges:
  • Cisco Employee,

There will be no implication for the existing VPN connections.


To answer your questions:

1) It will not impact your existing L2L tunnel

2) It will also not impact new L2L tunnel

3) Same, it will also not impact your remote users.


NAT-T is negotiated during the phase 1 negotiation. What will happen is if it detected that the remote user/L2L VPN is behind a NAT device, then it will negotiate the tunnel to use NAT-T (UDP encapsulated ESP packet - normally by default it's UDP/4500). If during the negotiation, it does not detect that the device is behind a NAT device, then it will continue to just use ESP.


Hope that answers your questions.

Actions

This Discussion