Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT-Traversal

Hi Guys,

When using EZVPN IOS client, is there a way to force it to use NAT-T??

I know it automatically uses NAT-T if it detects NAT in the network, however can you force it to use NAT-T even without a NAT??

Cheers

Scott                  

Everyone's tags (1)
3 REPLIES

NAT-Traversal

Hi Scott,

yes you can.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1049093

crypto ipsec nat-transparency  udp-encapsulation

Hope that helps.

thanks

Rizwan Rafeek

New Member

NAT-Traversal

Hi Rizwan,

I tried that command, however this is on automatically in 12.4T code, hence it is still using the auto detect feature rather than forcing NAT-T.

Cheers

New Member

NAT-Traversal

Hi all,


Cisco devices using the NAT-T detection by default  and you cannot disable this behaviour as it saves overhead by not encapsulating packets using UDP encapsulation while there is no NAT devices in between, so the proper way is to use NAT-T, But for the software clients it doesn't support NAT-T and works directly using the UDP encapsulation

By default, the Easy VPN hardware client and server encapsulate IPSec in  User Datagram Protocol (UDP) packets. Some environments, such as those  with certain firewall rules, or NAT and PAT devices, prohibit UDP. To  use standard Encapsulating Security Protocol (ESP, Protocol 50) or  Internet Key Exchange (IKE, UDP 500) in such environments, you must  configure the client and the server to encapsulate IPSec within TCP  packets to enable secure tunneling. If your environment allows UDP,  however, configuring IPSec over TCP adds unnecessary overhead

726
Views
0
Helpful
3
Replies