Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
2
Replies

does IPSec over TCP work on VPN 3030 external (3.) interface?

Go to solution
mmihalyfi
Level 1
Level 1

‎02-20-2003 01:25 PM - edited ‎02-21-2020 12:22 PM

I configured the third, external interface and can connect with ESP, and UDP tunnel, but not with IPsec over TCP.

The client says:

Unexpected TCP control packet received from a.b.c.d, src port 10000, dst port 4408, flags 14h

the concentrator doesn't say anything although I tried several event classes

the docu says "IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections. "

does this mean it works only on the real, physical public interface?

or should it work on the external interface if I click it's public interface checkbox?

Thanks for any advice,

Martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee

‎02-27-2003 10:32 AM

IPSec over TCP was design to work only on the real public interface #2.

There were a few technical reasons behind this, among them:

1) some customers terminate their tunnels on the Private interface (one-arm-config) and this would cause a major headache when trying to HTTP browse the VPN 3000 if IPSec/TCP was setup for Port 80/443. So we decided to yank it out of the Private Interface.

2) As far as the External interface#3, we chose not to enable the dynamic IPSec/over TCP fielterso n it mainly because of Load Balancing.

Since LB only works on the real public interface#2, again we chose to leave

IPSec/TCP out of it.

Nelson

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mchin345
Level 6
Level 6

‎02-26-2003 10:17 AM

Hi Martin,

To use IPSec over TCP, both the VPN Concentrator and the client must:

Be running version 3.5 or later software.

Enable IPSec over TCP.

Configure the same port for IPSec over TCP on both the Concentrator and the client.

Ensure that you configure the same port, I think currently it should be in different ports, thats why the error message is being received.

However after checking the configuration, if it still doesn't work, it could mean that what you are saying is true.i.e it only works on real public interfaces only and not on external interfaces converted to public.

0 Helpful

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee

‎02-27-2003 10:32 AM

IPSec over TCP was design to work only on the real public interface #2.

There were a few technical reasons behind this, among them:

1) some customers terminate their tunnels on the Private interface (one-arm-config) and this would cause a major headache when trying to HTTP browse the VPN 3000 if IPSec/TCP was setup for Port 80/443. So we decided to yank it out of the Private Interface.

2) As far as the External interface#3, we chose not to enable the dynamic IPSec/over TCP fielterso n it mainly because of Load Balancing.

Since LB only works on the real public interface#2, again we chose to leave

IPSec/TCP out of it.

Nelson

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents