Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9601
Views
0
Helpful
6
Replies

Difference between IPsecover UDP and IPSec over TCP

Go to solution
mahesh18
Level 6
Level 6

‎05-28-2014 12:13 PM - edited ‎02-21-2020 07:39 PM

 

Hi Everyone,

 

I am testing the VPN connection from user PC.

When i test  from user PC  using IPsecoverTCP  it uses protocol 10000.

When i check on ASA - ASDM under connection details

ike1-------------UDP Destination Port 500

IPsecOverTCP    TCP Dst Port 10000

 

 

using Ipsecover UDP

IKEv1----------UDP Destination Port 500

IPsecOverUDP--------------Tunnel UDP Destination Port 10000

 

So seems while using TCP or UDP it is using same port 500 and 10000.

 

Need to know what is major difference between these two connections is it just TCP  or UDP?

 

Regards

MAhesh

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Poonam Garg
Level 3
Level 3

‎05-28-2014 11:18 PM

IPSec over TCP is used in the scenarios where:

1. UDP port 500 is blocked, resulting in incomplete IKE negotiations

2. ESP is not allowed to pass and as a result encrypted traffic does not traverse.

3. Network administrator prefers to use a connection-oriented protocol.

4. IPSec over TCP might be necesary when the intermediary NAT or PAT device is stateful firewall.

With IPSec over TCP there is no room for negotiation like there is IPSec over UDP. IPSec over TCP packets are encapsulated from the start of the tunnel establishment cycle.This feature is available only for remote access VPN not for L2L tunnel. Also does not work with proxy-based firewall.

 

Whereas IPSec over UDP, similar to NAT-T, is used to encapsulate the ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients do not support NAT-T and are behind a firewall that does not allow ESP packets to pass through. IN IPSec over UDP, the IKE negotiations still use UDP port 500.

View solution in original post

0 Helpful

Go to solution
Poonam Garg
Level 3
Level 3
In response to mahesh18

‎05-29-2014 08:37 PM

Hi Mahesh,

As you are telling this is a L2L VPN connection between ASA1 and VPN ASA. IPSec over TCP is not supported for L2L connections.It is only for remote access VPN.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Poonam Garg
Level 3
Level 3

‎05-28-2014 11:18 PM

IPSec over TCP is used in the scenarios where:

1. UDP port 500 is blocked, resulting in incomplete IKE negotiations

2. ESP is not allowed to pass and as a result encrypted traffic does not traverse.

3. Network administrator prefers to use a connection-oriented protocol.

4. IPSec over TCP might be necesary when the intermediary NAT or PAT device is stateful firewall.

With IPSec over TCP there is no room for negotiation like there is IPSec over UDP. IPSec over TCP packets are encapsulated from the start of the tunnel establishment cycle.This feature is available only for remote access VPN not for L2L tunnel. Also does not work with proxy-based firewall.

 

Whereas IPSec over UDP, similar to NAT-T, is used to encapsulate the ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients do not support NAT-T and are behind a firewall that does not allow ESP packets to pass through. IN IPSec over UDP, the IKE negotiations still use UDP port 500.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Poonam Garg

‎05-29-2014 08:02 PM

 

Hi Poonam,

 

You explained really well.

I have below setup 

ASA1---L2L-----ASA2------ASA3---VPN ASA

When users behind ASA1 connect using IPSEC over TCP connection gets disconnected after sometime giving error 412.

I check the connection details it shows error

pkts replay failed (rcv): 100

 

I try to increase the Window size of replay to 1024 still no luck and try to disable antireplay on VPN

ASA still same thing.

 

however when i use IPSECover  UDP VPN connection works fine no disconnections,pkt replay failed

stays at zero.

Can you tell me what else i can do to troubleshoot this?

 

Regards

MAhesh

0 Helpful

Go to solution
Poonam Garg
Level 3
Level 3
In response to mahesh18

‎05-29-2014 08:37 PM

Hi Mahesh,

As you are telling this is a L2L VPN connection between ASA1 and VPN ASA. IPSec over TCP is not supported for L2L connections.It is only for remote access VPN.

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Poonam Garg

‎05-29-2014 09:43 PM

 

Hi Poonam,

L2L connection is  only between ASA1 and ASA2.

User is connected to ASA1 and he is running Remote access VPN client that connects to

VPN ASA.

Regards

MAhesh

0 Helpful

Go to solution
Poonam Garg
Level 3
Level 3
In response to mahesh18

‎05-30-2014 04:10 AM

Mahesh

Please go through this document. Hope this will answer your query.

 

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Poonam Garg

‎05-30-2014 10:37 AM

 

Many thanks Poonam

 

 

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents