Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN hardware client 3002

How we can configure the 3002 to use IPSEC over UDP in order to authenticate with ISKAMP?

How Can I enroll a certificate by using file base-64 in the hardware client?

We are trying to use a hardare client to replace a software client. should anything be changed in the concentrator? Is the concentrator aware of the type of client?


Re: VPN hardware client 3002

IPSec over UDP is configured on a per group basis, while IPSec over TCP/ NAT-T is configured globally.

Configure IPSec over UDP:

On the VPN Concentrator, select Configuration > User Management > Groups.

To add a group, select Add. To modify an existing group, select it and click Modify.

Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT UDP Port. The default port for IPSec through NAT is 10000 (source and destination), but this setting may be changed.

Configure IPSec over NAT-T and/or IPSec over TCP:

On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.

Check the IPSec over NAT-T and/or TCP check box.

If everything is enabled, use this precedence:

IPSec over TCP.

IPSec over NAT-T.

IPSec over UDP.

To en roll the certificate follow the steps

Manually grant or reject each re-enrollment request on the Cisco IOS CA server (unless "grant auto" is used on the Cisco IOS CA server).

The Cisco IOS CA server still needs to either grant or reject each of these requests (with the assumption that the Cisco IOS CA does not have "grant auto" enabled). However, no administrative action on the enrolling router is required to start the re-enrollment process.

Save the new re-enrolled certificate in the re-enrolling VPN router, if appropriate.

If there are no unsaved configuration changes pending in the router, then the new certificate is automatically saved to the Non-Volatile RAM (NVRAM). The new certificate is written in the NVRAM and the previous certificate is removed.

If there are unsaved configuration changes pending, then you must issue the copy run start command on the enrolling router in order to save the configuration changes and the new re-enrolled certificate into the NVRAM. Once the copy run start command is completed, then the new certificate is written in the NVRAM and the previous certificate is removed.

New Member

Re: VPN hardware client 3002

Thanks for the answer. But I still need some more information.

My scenario is that I have a certification for a software client that connects to a remote concentrator not managed by me. I whant to install a 3002 instead of the software client.

My question is how to configure the 3002 without doing changes in the remote concentrator.