Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
5
Helpful
2
Replies

ipsec over tcp - required ports

muca
Level 3
Level 3

‎06-18-2009 12:55 AM - edited ‎02-21-2020 04:16 PM

Hi,

If I want to use ipsec over tcp do I need to open any ports on my firewall other than the tcp port, for instance 10000?

What I am trying to find out is if I also need ISAKMP, ESP etc..

Thanks

Labels:
0 Helpful
2 Replies 2

chaitu_kranthi
Level 1
Level 1

‎06-18-2009 06:50 AM

Hi,

I think you have to allow ISAKMP & ESP

permit udp X.X.X.0 0.0.0.X any eq isakmp

permit esp X.X.X.0 0.0.0.X any

0 Helpful

srue
Level 7
Level 7
In response to chaitu_kranthi

‎06-18-2009 10:48 AM

you still need udp/500...

the whole point of using tcp/10000 is that you can't use esp in this situation.

"IPsec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the ISAKMP and IPsec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default."

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html#wp1059912

Customers Also Viewed These Support Documents