05-28-2014 12:13 PM - edited 02-21-2020 07:39 PM
Hi Everyone,
I am testing the VPN connection from user PC.
When i test from user PC using IPsecoverTCP it uses protocol 10000.
When i check on ASA - ASDM under connection details
ike1-------------UDP Destination Port 500
IPsecOverTCP TCP Dst Port 10000
using Ipsecover UDP
IKEv1----------UDP Destination Port 500
IPsecOverUDP--------------Tunnel UDP Destination Port 10000
So seems while using TCP or UDP it is using same port 500 and 10000.
Need to know what is major difference between these two connections is it just TCP or UDP?
Regards
MAhesh
Solved! Go to Solution.
05-28-2014 11:18 PM
IPSec over TCP is used in the scenarios where:
1. UDP port 500 is blocked, resulting in incomplete IKE negotiations
2. ESP is not allowed to pass and as a result encrypted traffic does not traverse.
3. Network administrator prefers to use a connection-oriented protocol.
4. IPSec over TCP might be necesary when the intermediary NAT or PAT device is stateful firewall.
With IPSec over TCP there is no room for negotiation like there is IPSec over UDP. IPSec over TCP packets are encapsulated from the start of the tunnel establishment cycle.This feature is available only for remote access VPN not for L2L tunnel. Also does not work with proxy-based firewall.
Whereas IPSec over UDP, similar to NAT-T, is used to encapsulate the ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients do not support NAT-T and are behind a firewall that does not allow ESP packets to pass through. IN IPSec over UDP, the IKE negotiations still use UDP port 500.
05-29-2014 08:37 PM
Hi Mahesh,
As you are telling this is a L2L VPN connection between ASA1 and VPN ASA. IPSec over TCP is not supported for L2L connections.It is only for remote access VPN.
05-28-2014 11:18 PM
IPSec over TCP is used in the scenarios where:
1. UDP port 500 is blocked, resulting in incomplete IKE negotiations
2. ESP is not allowed to pass and as a result encrypted traffic does not traverse.
3. Network administrator prefers to use a connection-oriented protocol.
4. IPSec over TCP might be necesary when the intermediary NAT or PAT device is stateful firewall.
With IPSec over TCP there is no room for negotiation like there is IPSec over UDP. IPSec over TCP packets are encapsulated from the start of the tunnel establishment cycle.This feature is available only for remote access VPN not for L2L tunnel. Also does not work with proxy-based firewall.
Whereas IPSec over UDP, similar to NAT-T, is used to encapsulate the ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients do not support NAT-T and are behind a firewall that does not allow ESP packets to pass through. IN IPSec over UDP, the IKE negotiations still use UDP port 500.
05-29-2014 08:02 PM
Hi Poonam,
You explained really well.
I have below setup
ASA1---L2L-----ASA2------ASA3---VPN ASA
When users behind ASA1 connect using IPSEC over TCP connection gets disconnected after sometime giving error 412.
I check the connection details it shows error
pkts replay failed (rcv): 100
I try to increase the Window size of replay to 1024 still no luck and try to disable antireplay on VPN
ASA still same thing.
however when i use IPSECover UDP VPN connection works fine no disconnections,pkt replay failed
stays at zero.
Can you tell me what else i can do to troubleshoot this?
Regards
MAhesh
05-29-2014 08:37 PM
Hi Mahesh,
As you are telling this is a L2L VPN connection between ASA1 and VPN ASA. IPSec over TCP is not supported for L2L connections.It is only for remote access VPN.
05-29-2014 09:43 PM
Hi Poonam,
L2L connection is only between ASA1 and ASA2.
User is connected to ASA1 and he is running Remote access VPN client that connects to
VPN ASA.
Regards
MAhesh
05-30-2014 04:10 AM
05-30-2014 10:37 AM
Many thanks Poonam
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide