I've been trying to convert all of our VPN sites to EasyVPN for easy of management etc, but a few of them I have not been able to successfully get working.
My Central ASA5520 is the EasyVPN server and all of the remote firewalls are ASA5505s (7.2(3)-7.2(4)) or PIX501s (various flavors of 6.3(x).
The ones I have not been able to get working are ones that sit behind someone's home router, like a little linksys or D-link or somthing, that doesn't seem to handle NAT-T properly and I'm guessing it has to do with UDP being stateless. Two Questions:
1. Could IPsec over TCP solve this issue
2. If I enable IPsec over TCP on my central firewall, does that impact ALL of the client? I have about 140 connected right now. Or is it similar to NAT-T where it will be used if necessary? Thanks.
As far as I know, IPSEC over TCP is only used for vpn clients and not for ezvpn clients who happen to be other ASA devices. In some cases indeed thoes devices D-link and stuff have issues with handling UDP 4500, can you try maybe to leave those sites to use the standard UDP 500/ESP IPSec traffic. In most cases this solves the issue
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...