Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IKE NAT-T

I tested from iPad Cisco client using 3G is specifically looking for IKE NAT-T to be enabled to establish the remote VPN tunnel.

My case is as below

I'm using ASA 5520 without IKE NAT-T enable but for IPSEC I have NAT-T enabled for some tunnel and for few not.

Similarly I know IKE NAT-T is globally configured.

I have remote access VPN, Anyconnect and site to site VPN on the same device.

My question is

1.     If I enable IKE NAT-T globally what will happen to the existing Site to Site VPN tunnel? I hope that active tunnel will not disturb but if a new tunnel is trying to negotiate will that have problem.

2.     What will be the implication for creating new site to site tunnel if the IKE NAT-T is enabled?

3.     My entire site to site remote peer is not having the IKE NAT-T enabled.

Regards

BR

1 REPLY
Super Bronze

Re: IKE NAT-T

There will be no implication for the existing VPN connections.

To answer your questions:

1) It will not impact your existing L2L tunnel

2) It will also not impact new L2L tunnel

3) Same, it will also not impact your remote users.

NAT-T is negotiated during the phase 1 negotiation. What will happen is if it detected that the remote user/L2L VPN is behind a NAT device, then it will negotiate the tunnel to use NAT-T (UDP encapsulated ESP packet - normally by default it's UDP/4500). If during the negotiation, it does not detect that the device is behind a NAT device, then it will continue to just use ESP.

Hope that answers your questions.

261
Views
0
Helpful
1
Replies