Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

UDP over IPSec (CISCO VPN Client 3.5.2)

Can someone give me a list of NAT devices that support UDP over IPSec over NAT to VPN CONCENTRATOR!

Only tested devices, please.



New Member

Re: UDP over IPSec (CISCO VPN Client 3.5.2)

This one for sure support for what you request: the Cisco routers. Tested it.

New Member

Re: UDP over IPSec (CISCO VPN Client 3.5.2)

I have been investigating on CISCO site and found a very interesting article

describing my problem :

Upon authentication, cannot ping anything !

According to article there are 2 options:

"If NAT-T is not checked on the VPN Concentrator or if NAT transparency is not checked on the VPN client, the IPSec tunnel will be established however, you will not be able to pass any data. In order for NAT-T to work, you must have the NAT-T checked on the concentrator and NAT transparency (over UDP) checked on the client.

After authentication VPN client shows my parameters:

"Client IP address:

Server IP address:

Transparent tunneling: inactive (SHOULD BE ACTIVE)

Tunnel port:0 (SHOULD BE UDP 500, 10000, WHATEVER)


In VPN client "transparency" is actually checked!

If NAT-T is not checked on VPN Concentrator, how could other companies (I contacted some of them) succeed with non-CISCO NAT devices such as

"SMC Barricade Plus" and "ZyWall10W"? One of admins told me there was absolutely nothing to configure.

The Only difference is that article described VPN Client ver.3.6.x. and mine is 3.5.2.B.

Anyway, on our laptops "enable transparent tunneling" is always checked,

THOUGH IT IS DIMMED even when I logon to W2000 as local admin. Why can`t I

change config? Also "group access information" cannot be changed! Only thing

I can choose is "dial-up" or LAN"

Do I have the problem with CISCO VPN client (3.5.2.B)!

Also what about "stateful firewall" setting?

And what is MTU setting in VPN dialer?

Please let me know how to check VPN Client configuration!

Also, I recorded IPSec/IKE log in CISCO VPN client during session. Can someone take a look at it (please tell Emails to send log to)




Re: UDP over IPSec (CISCO VPN Client 3.5.2)

Howdy Vlad,

I am not quite sure what you problem is. It sounds like you might have nat-traversal enabled on the concentrator, but still have no luck sending data.


1. Enabling nat traversal on a 3000 or a Cisco PIX is critical. Every version of the software client that I remember, has UDP encapsulation (aka Nat traversal) enabled by default. Both ends of the connection need to support it. It is not clear to me what you are connecting to.

2. List of devices that support NAT-T. Almost everything should. Problem devices can be those that try to be IPSec aware - some Linksys home routers do this - they intercept some of the isakmp packets from the software client of the home user going through it to the vpn device at the company. You should be able to use the software client with nat-t from behind almost everything though.

New Member

Re: UDP over IPSec (CISCO VPN Client 3.5.2)


I try to connect to VPN COncentrator 3000, version 3.6.1. with VPN client 3.5.2.B

Here in file is the authentication part (send this to you in mail) in VPN client IKE/IPSec log. It is partially succesful: with the article stated above you can compare the process of negotiation if client is behind NAT and how NAT-T capability is discovered by client. The difference is that VPN client is 3.6.1 or 3.6.2 and PIX instead of ISA,

It looks like my log misses some crucial NAT-T moments, though "transparent tunneling" IPSec over UDP is checked. Is it possible that client has a bug.

Is CISCO VPN client 3.6.1 or higher available for download?



New Member

Re: UDP over IPSec (CISCO VPN Client 3.5.2)

I've worked extensively with VPN tunneling on both the Pix and VPN 3000. Nat traversal via TCP on the concentrator works flawlessly nearly 100% of the time. NAT traversal via UDP or via the PIX is much less reliable.

In generaly, I've found that NAT traversal via UDP over the PIX does not significantly affect the number of situations in which one can successfully build a tunnel. In general, if there's more than 1 VPN client behind a single PAT address (as is common in a home broadband router, or at a hotel), only ONE person at a time can successfuly build a VPN connection to a PIX, whether NAT traversal is on or not. In the exact same situation, a connection can be made into a VPN 3000 with no problem.

This may change in future revisions, but for the moment, I only see NAT traversal as being using in VPN client to 3000 concentrator situations.

CreatePlease to create content