Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site VPN using UDP?

Is possible to create a site-to-site VPN when one end is behind a ISP NAT'ed internet connection using a cisco router?

Specifically IPSEC can use UDP? So far I only managed to do this using OpenVPN.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site-to-site VPN using UDP?

Hi,

The site-to-site VPN can be established if you're doing NAT.

ISAKMP is established using UDP port 500 and then the encrypted traffic is encapsulated using ESP.

If it's NAT is not a problem.

If you're using PAT, ESP causes problems because ESP has no layer 4 information and therefore cannot be PATed.

If this is the situation, just use NAT-T so that ESP traffic will be encapsulated in UDP port 4500.

This should work with no problems.

Federico.

2 REPLIES

Re: Site-to-site VPN using UDP?

Hi,

The site-to-site VPN can be established if you're doing NAT.

ISAKMP is established using UDP port 500 and then the encrypted traffic is encapsulated using ESP.

If it's NAT is not a problem.

If you're using PAT, ESP causes problems because ESP has no layer 4 information and therefore cannot be PATed.

If this is the situation, just use NAT-T so that ESP traffic will be encapsulated in UDP port 4500.

This should work with no problems.

Federico.

New Member

Re: Site-to-site VPN using UDP?

PAT, sorry. But you explained for all cases. Wonderfull.

Thank you!

218
Views
0
Helpful
2
Replies