VPN and NAT

cpembleton · ‎09-07-2006

I'm doing a new VPN config on an ASA 7.2(1). Trying to find out if I should use IPSec over TCP, IPSec over UDP or NAT-T.

Any comments on which is better?

Fernando_Meza · ‎09-07-2006

Hi .. NAT-T is used for establishing an IPsec tunnel with a device located behind a device that does NAT .. If you are setting up a LAN to LAN vpn and your ASAs have public routable addresses then you only need IPsec .. no need for UDP encapsulation. NAT-T is commonly used for allowing users running vpn clients and which are behind a NAT device such as an ADSL router - to establish an encrypted tunnel to the corporate network.

I hope it helps .. Please rate it if it does !!!

cpembleton · ‎09-08-2006

Sorry, should have been more specific. This is for remote access clients.

NAT-T, IPsec over TCP and UDP are used when normal IPsec communication can not operate normally like when behind a NAT and/or PAT device. Each is a differnt type of NAT transparency.

NAT-T still uses UDP but it has a fixed port 4500. It will also work with L2L tunnels.

I'm trying to figure out which one works the best.

Thanks,

Chad

jeff.roback · ‎10-12-2006

NAT-T works SIGNIFICANTLY better than plain IPSec over UDP. Home wireless/broadband routers seem to kill IPsec over UDP conections every few minutes. However, we've had the best luck long-term with IPSec over TCP.

There may be a performance impact in using TCP instead of UDP, but we haven't been able to benchmark it.

My reccomendation would be for a new deployment do it over TCP, but if you're in an existing deployment with the PCF's already set for UDP, RUN..don't walk ... to turn on NAT-T.