IPSEC over TCP has the advantage of support NAT/PAT firewall, including things like Gauntlet proxy firewalls if you use a plug-proxy. IPSec/UDP won't support all those options. The advantage with the TCP option is that its most palatable to firewall admins. I don't know whether port 80 is your best option, though, depending on how you're planning on managing your concentrator. Also, firewall admins can get a bit antsey if you try and sneak an Ipsec connection through their firewall by tunneling over TCP/80. It can be better to be up front about it and use a different port that is specifically allowed to the remote concentrator only.
I prefer to tunnel the IPSEC over TCP/80 to bypass NAT/PAT/firewall devices, the reason I am uisng port 80 is because that it's almost at every company allowed, thus if we want to setup a VPN connection between our company and a 3th party ther's less or none configuration to be done.
We also have a lot of employees working at customers, allowing them to setup a VPN tunnel to our network will be more easiliy over TCP/80 than any other port. I also know that the 3th parties need to be informed if we implement this !.
I already know why to use TCP instead of UDP, but I want to know if there any security issues using UDP or TCP for a tunnel of IPSEC !
I just want to know what's more secure, IPSEC over UDP or TCP and why.
TCP option is more relaible offcourse, bcoz of TCP being connection oriented & reliable as compared to UDP being unreliable and non-connection oriented.
Which ever you use, its just used as a wrapper fo original IPsec packet, so not much concern abt security, as these wrappers are removed completely, as packets go for decryption on either side o the tunnel.
PS: If you use TCP80 on the vpn3k for this purpose, you wont be able to manage the box at that port via http, can use any non-standard port or https://
I'm only concerned that i need to open a UDP port through my Firewalls and was looking for some security risks there.
I'm aware that the use of TCP/80 to tunnel the traffic disables the option to mange the VPN concentrator, but this is only for the public interface. I still can manage the vpn concentrator through the private interface
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...