"If NAT-T is not checked on the VPN Concentrator or if NAT transparency is not checked on the VPN client, the IPSec tunnel will be established however, you will not be able to pass any data. In order for NAT-T to work, you must have the NAT-T checked on the concentrator and NAT transparency (over UDP) checked on the client.
After authentication VPN client shows my parameters:
"Client IP address: 188.8.131.52
Server IP address:184.108.40.206
Transparent tunneling: inactive (SHOULD BE ACTIVE)
Tunnel port:0 (SHOULD BE UDP 500, 10000, WHATEVER)
In VPN client "transparency" is actually checked!
If NAT-T is not checked on VPN Concentrator, how could other companies (I contacted some of them) succeed with non-CISCO NAT devices such as
"SMC Barricade Plus" and "ZyWall10W"? One of admins told me there was absolutely nothing to configure.
The Only difference is that article described VPN Client ver.3.6.x. and mine is 3.5.2.B.
Anyway, on our laptops "enable transparent tunneling" is always checked,
THOUGH IT IS DIMMED even when I logon to W2000 as local admin. Why can`t I
change config? Also "group access information" cannot be changed! Only thing
I can choose is "dial-up" or LAN"
Do I have the problem with CISCO VPN client (3.5.2.B)!
Also what about "stateful firewall" setting?
And what is MTU setting in VPN dialer?
Please let me know how to check VPN Client configuration!
Also, I recorded IPSec/IKE log in CISCO VPN client during session. Can someone take a look at it (please tell Emails to send log to)
I am not quite sure what you problem is. It sounds like you might have nat-traversal enabled on the concentrator, but still have no luck sending data.
1. Enabling nat traversal on a 3000 or a Cisco PIX is critical. Every version of the software client that I remember, has UDP encapsulation (aka Nat traversal) enabled by default. Both ends of the connection need to support it. It is not clear to me what you are connecting to.
2. List of devices that support NAT-T. Almost everything should. Problem devices can be those that try to be IPSec aware - some Linksys home routers do this - they intercept some of the isakmp packets from the software client of the home user going through it to the vpn device at the company. You should be able to use the software client with nat-t from behind almost everything though.
I try to connect to VPN COncentrator 3000, version 3.6.1. with VPN client 3.5.2.B
Here in file is the authentication part (send this to you in mail) in VPN client IKE/IPSec log. It is partially succesful: with the article stated above you can compare the process of negotiation if client is behind NAT and how NAT-T capability is discovered by client. The difference is that VPN client is 3.6.1 or 3.6.2 and PIX instead of ISA,
It looks like my log misses some crucial NAT-T moments, though "transparent tunneling" IPSec over UDP is checked. Is it possible that client has a bug.
Is CISCO VPN client 3.6.1 or higher available for download?
I've worked extensively with VPN tunneling on both the Pix and VPN 3000. Nat traversal via TCP on the concentrator works flawlessly nearly 100% of the time. NAT traversal via UDP or via the PIX is much less reliable.
In generaly, I've found that NAT traversal via UDP over the PIX does not significantly affect the number of situations in which one can successfully build a tunnel. In general, if there's more than 1 VPN client behind a single PAT address (as is common in a home broadband router, or at a hotel), only ONE person at a time can successfuly build a VPN connection to a PIX, whether NAT traversal is on or not. In the exact same situation, a connection can be made into a VPN 3000 with no problem.
This may change in future revisions, but for the moment, I only see NAT traversal as being using in VPN client to 3000 concentrator situations.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :