I'm using a Cisco 7200 Router as VPN Gateway for our Easy-VPN clients. The problem is, that i need to tunnel the IPSEC traffic over tcp. By know i only find out, that the concentrator is able to tunnel IPSEC via TCP.
Does anybody know, if it is planed to put this feature into cisco IOS.
Your request is not clear. You can use TCP or UDP for IPSEC. For example when you use Nat the following will happend:
There are a number of incompatibilities when dealing with IPsec ESP/AH with NAT. To overcome the ESP limitations, the Cisco VPN client wraps the ESP packets within a UDP wrapper. This requires the server side to be able to strip off the UDP header and then perform decryption. The server should also be able to encapsulate the packets it encrypts with a UDP wrapper.
I'll try to give a more detailed description of our problem.
We are using the Easy-Vpn Client which connects to a router running IOS 12.3.
Our user are connecting from a provider network with public IP adresses to the gateway.
Only one user can establish a VPN session.Concurrent sessions are faild. Even the use of transparent tunnel mode don't fix the problem because from my understanding the provider router / NAT-device must support this.
So I think the only way to solve the problem is to use transparent tunnel over tcp like it is supportet on the concentrator.
The feature which you are looking for is NAT-T (NAT Traversal). It uses UDP 4500. IOS 12.3 already has this feature. Make sure the vpn clients are 3.6 and above. IPsec over TCP is supported only on Concentrators
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...