06-18-2009 12:55 AM - edited 02-21-2020 04:16 PM
Hi,
If I want to use ipsec over tcp do I need to open any ports on my firewall other than the tcp port, for instance 10000?
What I am trying to find out is if I also need ISAKMP, ESP etc..
Thanks
06-18-2009 06:50 AM
Hi,
I think you have to allow ISAKMP & ESP
permit udp X.X.X.0 0.0.0.X any eq isakmp
permit esp X.X.X.0 0.0.0.X any
06-18-2009 10:48 AM
you still need udp/500...
the whole point of using tcp/10000 is that you can't use esp in this situation.
"IPsec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the ISAKMP and IPsec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default."
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html#wp1059912
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide