Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2327
Views
5
Helpful
21
Replies

Satellite VPN

Robert Craig
Level 3
Level 3

‎04-10-2012 08:38 AM

I have an IPSEC VPN across a satellite connection. My satellite provider provides TCP acceleration from both ends to make the experience better, which it does for most traffic. However, with my IPSEC VPN (router on my end and pix on the other), the traffic is encrypted in UDP 500 traffic so the TCP headers are never seen and can't be accelerated. My thoughts on this is to use IPSEC over TCP, much like some people do when NAT comes into play or some weird firewall. Would this work? If I configure my 2811 to use IPSEC over TCP (isakmp ctcp port 45 or something similar), then the TCP acceleration would be able to do it's job. My only fear is the PIX 515e on the other end of the tunnel won't support this feature. Any help is appreciated.

Labels:
0 Helpful
21 Replies 21

Jouni Forss
VIP Alumni
VIP Alumni

‎04-10-2012 08:47 AM

Hi,

The Command Reference for PIX software 7.0 does include the following command. I have never tried this but does seem to point to the fact that you could configure what you are talking about

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1645243

 isakmp ipsec-over-tcp 


 To enable IPSec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPSec over TCP, use the no form of this command. 


isakmp ipsec-over-tcp [port port1...port10] 


no isakmp ipsec-over-tcp [port port1...port10] 


 Syntax Description




 





 port port1...port10 




 (Optional) Specifies the ports on which the device accepts IPSec over  TCP connections. You can list up to 10 ports. Port numbers can be in the  range 1-65535. The default port number is 10000. 








 


 Defaults 


 The default value is disabled. 


 Command Modes 


 The following table shows the modes in which you can enter the command:




 





 Command Mode 

 

 Firewall Mode 

 

 Security Context 

 






 Routed 

 

 Transparent 

 

 Single 

 

 Multiple 

 






 Context 

 

 System 

 






 Global configuration 




 








 


















 Command History




 





 Release 

 

 Modification 

 






 7.0 




 This command was introduced. 








 


 Examples 


 This example, entered in global configuration mode, enables IPSec over TCP on port 45: 




hostname(config)# isakmp ipsec-over-tcp port 45

- Jouni

Robert Craig
Level 3
Level 3
In response to Jouni Forss

‎04-10-2012 09:09 AM

OK, I'll give it a shot. Thanks!

0 Helpful

Agustin Ciciliani
Level 1
Level 1
In response to Robert Craig

‎08-24-2015 06:08 AM

Hi Robert, did you finally managed to get the IPSec tunnel working and TCP accelerated using Easy VPN with ctcp?
 

0 Helpful

Javier Portuguez
Level 9
Level 9

‎04-10-2012 12:37 PM

Hi,

Are we talking about a L2L tunnel?

The isakmp ipsec-over-tcp port command enables the PIX to connect to a Cisco VPN Software and Hardware Client on any port for IPsec over TCP, not L2L tunnels.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080645722.shtml#intro

Please let me know if you have any questions.

0 Helpful

Robert Craig
Level 3
Level 3
In response to Javier Portuguez

‎04-10-2012 01:30 PM

Oh, actually, yeah I guess it would be a L2L tunnel. What is my situation considered then? Pix 515E to 2811. All traffic going to Pix LAN gets caught by a route-map, otherwise all traffic goes out regular internet. Oh, and the goal of this whole project is to extend VOIP services to users hanging off of satellite. CUCM is located behind PIX and satellite users using a local CME with H323 trunk to CUCM.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Robert Craig

‎04-10-2012 06:27 PM

Hi Robert,

Since you have a Router and a PIX, I would suggest Easy VPN. With this topology IPsec over TCP is supported.

To define who is the client and the server its up to you.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html#wp1017851

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdm5505.pdf

Please let me know.

* Please do not forget to rate the posts if you find some help.

0 Helpful

Robert Craig
Level 3
Level 3
In response to Javier Portuguez

‎04-11-2012 04:40 AM

OK, I might try that method. If I do it this way, do you think my satellites TCP acceleration will kick in and help things?

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Robert Craig

‎04-11-2012 05:37 AM

Dear Robert,

As long as the VPN connection gets established with IPsec over TCP on port 10000, then the ISP will see these packets traversing their transit networks, I just hope this TCP accelaration does not manipulate or change the TCP packet in a way that the tunnel would not work, however, this is something you might want to try since it is quite simple to test.

Please let me know.

Thanks.

0 Helpful

Robert Craig
Level 3
Level 3
In response to Javier Portuguez

‎04-11-2012 07:23 AM

OK, I'll try it tonight. Just to make sure, I need to apply isakmp ctcp port 10000 on both devices?

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Robert Craig

‎04-11-2012 07:57 AM

Yes, It would be better.

Thanks.

0 Helpful

Robert Craig
Level 3
Level 3
In response to Javier Portuguez

‎04-11-2012 08:06 AM

OK. My pix also terminates other VPN tunnels that use the standard UDP 500 port. If I apply this command, will it break those connection or will it allow the PIX to use either one?

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Robert Craig

‎04-11-2012 08:28 AM

Should not be a problem.

If the client does not have IPsec over TCP enabled, then it will not use it.

LAN-to-LANs will ignore it.

Keep me posted.

Thanks in advance.

0 Helpful

Robert Craig
Level 3
Level 3
In response to Javier Portuguez

‎04-11-2012 08:31 AM

Will do! Thanks!

0 Helpful

Robert Craig
Level 3
Level 3
In response to Robert Craig

‎04-11-2012 11:01 AM

OK, so I tried it remotely from my office and ended up kicking the  router off the VPN. I used the below link to configure the 2811. On the  PIX I just created another client policy with the ASDM. However, the  link never came back up. Do I have to do any static routing at the 2811  or on the PIX for each others LAN to work with EZVPN?

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents