When users are having trouble connecting to our VPN gateways, as part of our troubleshooting process we have them change between IPsec over UDP and IPSec over TCP. We tell them to use which ever works without really understanding why one works over the other. I've looked for a document that could explain to me why I would want to wrap IPSec in UDP vs TCP and can't find one. If anyone can shed some light on this I would very much appreciate it. I don't mind being "RTFM'ed"if anyone can't point me to a good doc on this.
both methods are used to tunnel IPSec through a device breaking IPSec otherwise. Those devices could be NAT, PAT or proxies. Now not every proxie might be able to handle UDP properly or allow it, so you might go for IPSec over TCP. The standard NAT-T used to pass through NAT/PAT is using UDP 4500 - not configurable.
So there are two components: the device you pass through and the device terminating IPSec. a combination of each capabilities will determine what to use.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...