05-15-2008 07:05 AM - edited 02-21-2020 03:43 PM
Is there a way to force the VPN client to use NAT-T when the device isn't NATed but ESP is otherwise blocked?
My VPN client connects but tries to use ESP, even though IPSec over UDP is selected, after detecting that no NAT is taking place.
05-15-2008 07:41 AM
James,
Nope - it's negotiated in IKE, it's an option to detect devices that do not support VPN Pass-Thru.
HTH.
05-15-2008 07:43 AM
Thanks. Is there an option I can set on my ASA to achieve this from the other end? :-)
05-15-2008 07:47 AM
Again - nope, all you can do it disable NAT-T from either using UDP or TCP or both. But then that would break it for devices who do not support VPN PassThru.
HTH.
05-15-2008 08:04 AM
Thanks. Using Linux's 'vpnc' as the VPN client provides a "force-natt" option which does the trick so a little disappointed I can't do it with the Cisco client.
I also found references to a feature request #CSCdz58488 so I thought it may have been implemented in the current VPN client.
05-15-2008 08:07 AM
When you have a bunch of very bright people in the open source community writing apps, they will just do it as it seems like a good idea.
Cisco & feature requests.....are business driven!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: