- Gold, 750 points or more
The VPN Client fails to pass traffic if the client comes from a Network Address Translation (NAT) or Port Address Translation (PAT) device.
At times the first VPN client connects succesfully and is able to pass traffic, but then the rest of the clients fail to connect with this displayed message:
Secure VPN Connection terminated by Peer. Reason 433:(Reason Not Specified by Peer)
In order to resolve this issue, enable NAT Traversal (NAT-T) or IPsec over User Datagram Protocol (UDP) on the VPN Concentrator.
The NAT-T allows IPsec peers to establish a connection through a NAT or PAT device. It encapsulates IPsec traffic in UDP datagrams with the use of port 4500 in order to do this, thereby it provides NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary.
NAT-T is mentioned in Internet Engineering Task Force (IETF) RFC 3193, whereas UDP 10000 is a Cisco-developed method that provides a workaround for the PAT problem. The Cisco VPN 3000 Concentrator supports both NAT-T and UDP 10000.
Refer to the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency section of Tunneling Protocols for more information in order to enable NAT-T on the VPN Concentrator.
Refer to How to configure NAT Transparency for more information on NAT-T.
IPsec over UDP
IPsec over UDP, sometimes called IPsec through NAT, allows you to use the Cisco VPN Client or VPN 3002 Hardware Client to connect to the VPN Concentrator on the UDP through a firewall or router that runs NAT. This feature is Cisco proprietary, it applies only to remote-access connections, and it requires Mode Configuration.
You can configure more than one group with this feature enabled, and each group can use a different port number. Port numbers must be in the 4001 through 49151 range, which is a subset of the IANA Registered Ports range.
The Cisco VPN Client must also be configured to use this feature as it is configured to use it by default. The VPN Client Connection Status dialog box indicates if the feature is being used.
In order to configure IPsec over UPD, choose Configuration > User Management > Groups > Modify > Client config.
Refer to the Configure IPSec over UDP section of Configuring NAT Transparent Mode for IPSec on the VPN 3000 Concentrator
Note: IPsec over UDP is configured on a per group basis, while IPsec over TCP/ NAT-T is configured globally. When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.