Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
4
Helpful
7
Replies

IPSec over TCP vs IPSec over UDP

v.chow
Level 1
Level 1

‎09-24-2002 11:24 AM - edited ‎02-21-2020 12:04 PM

In my VPN Client 3.6.1, IPSec over TCP with port 80 works behind a PIX firewall using PAT but not works if I connect to Internet directly with Public address from ISP. Why?

IPSec over UDP with default port 10000 works for Internet with Public address from ISP but not works behind a PIX Firewall. Why?

Which method can cater both situation so that there is less interruption on the client? ie. Public address from ISP and private address behind a PAT Firewall.

Labels:
0 Helpful
7 Replies 7

afakhan
Level 4
Level 4

‎09-30-2002 11:27 AM

Hi,

First scenario:

It could be due to your ISP doing some caching on TCP80 (WWW) port, esp. happens if you are using dial-up account, you should be using any port other than TCP80.

Second scenario:

For IPsec/udp you need to open up IPsec/UDP (port configured) on the PIX FW, and UDP500 (ISAKMP) port as well, but if you are trying to use more than one client behind the PIX at the same time, then IPSec/UDP is not a solution for you, use IPsec/TCP instead.

Thanks,

Afaq

engel
Level 2
Level 2
In response to afakhan

‎09-30-2002 08:13 PM

Hi Afaq,

Is the PIX not capable to allow several VPN clients using "IPSec over UDP" to create a VPN tunnel ??

That different with my test result here, a PIX doing NAT or PAT does able to allow multiple VPN remote clients to terminate VPN tunnels to the Concentrator.

0 Helpful

enock_moubongo
Level 1
Level 1
In response to engel

‎11-22-2002 06:45 AM

Hi ,

I have a problem with VPN client!

I can't open several ipsec tunnel at the same time.

When i open a second tunnel, the first one is dropped with : "The remote peer has terminated your VPN connection"

Remote peer is a pix and VPN clients are on a LAN behind a router!

LAN-------router----------------pix

When doing IPSEC over TCP nothing works

What's wrong

0 Helpful

kdurrett
Level 3
Level 3
In response to enock_moubongo

‎11-22-2002 10:09 AM

Sounds like a NAT/PAT issue. Are you doing PAT for your clients on the router? You will need to have static 1-to1 NAT translations. IPSEC over tcp isnt a feature that works to the pix, only to a 3000 concentrator. That should be up and coming when 6.3 is released, talk to you local account manager on details of that. But until then, when connecting to the pix you will need to do a 1-to-1 static NAT translation.

Kurtis Durrett

0 Helpful

enock_moubongo
Level 1
Level 1
In response to afakhan

‎11-26-2002 01:44 AM

Hi Afaq,

here is my design :

Vpn client 1|----------router(PAT)----------PIX

|

Vpn client 2|

It is impossible for me to run two Vpn clients at the same time over udp.

Router has only one IP address from ISP so i do PAT.

Why cannot i run several Vpn client behind router ?

I tried IPSEC/TCP but it does not work.

I create an access-list with TCP port 10000 on PIX but nothing happened.

Is IPSEC/TCP supported on PIX ?

Regards,

0 Helpful

kdurrett
Level 3
Level 3
In response to enock_moubongo

‎11-26-2002 07:38 AM

Currently only the vpn3000 concentrators support ipsec over tcp/udp. You will need to have a static address for each client behind your router pat device to connect to the pix. If your running 12.2.5T you can set up a one to one esp nat translation that will allow one of your 2 clients to connect to the pix without the additional public ip's.

Kurtis Durrett

0 Helpful

enock_moubongo
Level 1
Level 1
In response to kdurrett

‎11-27-2002 01:48 AM

Thanks very much for information!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents