I have got strange situation. If I connect to VPN server using home GPRS network VPN service works fine. As soon as the same client (same computer, same Cisco VPN client) goes abroad, there are complains that VPN access does not work. Although I see that packets come in on UDP:500.
It does seem that ISAKMP phase times out in excanging certificates because it takes longer from foreign GPRS network ! I tried to find how to enlarge the initial ISAKMP timeout but was not successful yet :-( Any idea ?
Nov 19 15:23:23: %SEC-6-IPACCESSLOGP: list 102 permitted udp 22.214.171.124(500) -> XXX.XXX.XXX.XXX(500), 5 packets
I looked at "debug crypto isakmp" - it seemed quite normal. The idea about timeout came to my mind because if I do not enter username/password (already after ISAKMP phase with certificates is done) just for a few seconds it times out and disconnects.
I've encountered the same problems with some of my users who vpn from home using GPRS. I too suspected that the connection failed because of the timing for ISAKMP was 'out of sync'. So to fix that, I just switched the option on the Cisco VPN client (Properties -- Transport) to enable transparent tunneling 'IPSec over TCP' and problem was solved. At least with TCP, it'll provide a mechanism with reliability instead using unreliable UDP. Hope this helps in some way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...