IKE NAT-T

balajirajahpb · ‎08-03-2010

I tested from iPad Cisco client using 3G is specifically looking for IKE NAT-T to be enabled to establish the remote VPN tunnel.

My case is as below

I'm using ASA 5520 without IKE NAT-T enable but for IPSEC I have NAT-T enabled for some tunnel and for few not.

Similarly I know IKE NAT-T is globally configured.

I have remote access VPN, Anyconnect and site to site VPN on the same device.

My question is

1. If I enable IKE NAT-T globally what will happen to the existing Site to Site VPN tunnel? I hope that active tunnel will not disturb but if a new tunnel is trying to negotiate will that have problem.

2. What will be the implication for creating new site to site tunnel if the IKE NAT-T is enabled?

3. My entire site to site remote peer is not having the IKE NAT-T enabled.

Regards

BR

Jennifer Halim · ‎08-03-2010

There will be no implication for the existing VPN connections.

To answer your questions:

1) It will not impact your existing L2L tunnel

2) It will also not impact new L2L tunnel

3) Same, it will also not impact your remote users.

NAT-T is negotiated during the phase 1 negotiation. What will happen is if it detected that the remote user/L2L VPN is behind a NAT device, then it will negotiate the tunnel to use NAT-T (UDP encapsulated ESP packet - normally by default it's UDP/4500). If during the negotiation, it does not detect that the device is behind a NAT device, then it will continue to just use ESP.

Hope that answers your questions.