I have GRE/IPSec tunnels created to a remote site in Tashkent, Uzbekistan, running fine for over a year. Recently, the site went offline, troubleshooting shows that while some traffic is still flowing (UDP/500-IKE, TCP/23-Telnet, etc.), ESP packets being sent from the router in Tashkent are not making it back to their IPSec peers. We queried the ISP, and after much hemming and hawing, the ISP reports that their upstream provider, the state-run UzbekTelecom, were blocking the ESP, and have unblocked it. Trouble is that they only unblocked it to one destination, my other 3 tunnels remain down. Of course we are concerned that they will reverse course and re-block ESP to everywhere, so we're trying to explore options for disguising ESP. Currently, folks at the site are using Cisco VPN client against a 3005 concentrator using TCP encapsulation, which works fine. Question is, can I get 2 IOS-based routers to encapsulate ESP inside TCP? And if so, how?
Thanks for the reply. NAT-T is UDP only (port 4500), and will auto-negotiate as you mentioned, but ONLY if it detects a NAT in the path, which can be introduced by a NAT-on-a-stick approach. Tested this and works fine, but if the state blocks ESP, likely they're sharp enough to block UDP/4500, heck if they blocked IKE, we'd be dead with no recourse. I was hoping for a similar solution to TCP encap on the VPN Client, but I've finally decided that it just does not exist today (but it should!)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :