Cisco Support Community
Community Member

VPN Concentrator help


We are going to deploy two 3015's in seperate sites with seperate internet entry points and a backend WAN conecting both sites. I have some concerns regarding vendor LAN2LAN access.

If we suffer an interface failure on the internal interface of our network, i want to hairpin the vendor traffic back through a backup tunnel to our second site.

I want to know if the NAT we would normally apply to this traffic is applied on the packets on the inbound interface or the outbound internal interface. If i hairpin the traffic will the same NAT rules apply?

And finally can anybody see any further issues i may have with this solution?

(i have attached a diag to give you a better idea)

Many thanks



Re: VPN Concentrator help

Configure IPSec over UDP:

On the VPN Concentrator, select Configuration > User Management > Groups.

To add a group, select Add. To modify an existing group, select it and click Modify.

Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT UDP Port. The default port for IPSec through NAT is 10000 (source and destination), but this setting may be changed.

Configure IPSec over NAT-T and/or IPSec over TCP:

On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.

Check the IPSec over NAT-T and/or TCP check box.

If everything is enabled, use this precedence:

IPSec over TCP.

IPSec over NAT-T.

IPSec over UDP.

CreatePlease to create content