Unanswered Question
Oct 8th, 2006
User Badges:
  • Bronze, 100 points or more

hi guys

i ve read somewhere that when all options (NAT-T TCP UDP)are enabled for transporting IPSEC traffic especialy when dealing with PAT, the one that take precedence is the IPSEC/TCP,

however when doing some assessements I find out that the answer were NAT-T is that correct please clarify me that ?

thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andrew von Nagy Sun, 10/08/2006 - 20:50
User Badges:

My understanding is that IPSec over TCP is preferred when remote clients are traversing a stateful firewall. This is because the stateful firewall can keep track of the TCP session state much better than it can a UDP traffic flow. Also, stateful firewalls are usually configured with a higher session timeout (inactivity) when TCP is in use rather than when UDP is in use.

For remote access VPNs, I have been using TCP without issue. I tried UDP for a while just to compare, and if I let it sit inactive for just a few minutes I would get disconnected. Very annoying.


kamal-learn Sun, 10/08/2006 - 22:26
User Badges:
  • Bronze, 100 points or more

thanks AndrewvonNagy ..

yes indeed i know that when using statefull firewall the correct way to go is to use IPSEC/TCP , IPSEC/UDP will not work. but may be i didnt clarify my question in my first post so the situation is here exactly , you have a 3000 series VPN concentrator , you configured on it the tree option NAT-T IPSEC/TCP IPSEC/UDP what amoung them the VPN will use ? certainly the it will give precedence to only one so which one ??



This Discussion