Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4302
Views
10
Helpful
3
Replies

IPSec vs IPSec Over NAT-T

Go to solution
rcmcdonald91
Level 1
Level 1

‎04-05-2010 03:04 PM - edited ‎02-21-2020 04:34 PM

I would appreciate an explanation between these two terms.

I am doing some remote work while I do some traveling. Normally, when I work from home my VPN connection uses the IPSecOverNatT Protocol when I view the current VPN connections through ASDM. I am currently on a University campus and my connection is now just the plain IPSec protocol. What causes this change and what is the change?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rcmcdonald91

‎04-05-2010 05:02 PM

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

View solution in original post

3 Replies 3

Go to solution
Kent Heide
Level 1
Level 1

‎04-05-2010 03:22 PM

The difference is that when you have NAT-T enabled it uses port 4500 for udp encapsulation instead of the usual isakmp port that is udp 500 which conflicts with NAT. This is in some cases controlled by the VPN hub/server.

Go to solution
rcmcdonald91
Level 1
Level 1
In response to Kent Heide

‎04-05-2010 03:54 PM

NAT-T is enabled. There are other clients that are connected who are using the NAT-T protocol, but mine is IPSec. So my connection being reverted to the plain IPSec is being caused by the university campus connection I'm using?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rcmcdonald91

‎04-05-2010 05:02 PM

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

Customers Also Viewed These Support Documents