Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec vs IPSec Over NAT-T

I would appreciate an explanation between these two terms.

I am doing some remote work while I do some traveling. Normally, when I work from home my VPN connection uses the IPSecOverNatT Protocol when I view the current VPN connections through ASDM. I am currently on a University campus and my connection is now just the plain IPSec protocol. What causes this change and what is the change?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSec vs IPSec Over NAT-T

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

3 REPLIES
Community Member

Re: IPSec vs IPSec Over NAT-T

The difference is that when you have NAT-T enabled it uses port 4500 for udp encapsulation instead of the usual isakmp port that is udp 500 which conflicts with NAT. This is in some cases controlled by the VPN hub/server.

Community Member

Re: IPSec vs IPSec Over NAT-T

NAT-T is enabled. There are other clients that are connected who are using the NAT-T protocol, but mine is IPSec. So my connection being reverted to the plain IPSec is being caused by the university campus connection I'm using?

Cisco Employee

Re: IPSec vs IPSec Over NAT-T

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

2378
Views
10
Helpful
3
Replies
CreatePlease to create content