Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

TCP Encapsulation for ESP traffic - possible?

I have GRE/IPSec tunnels created to a remote site in Tashkent, Uzbekistan, running fine for over a year. Recently, the site went offline, troubleshooting shows that while some traffic is still flowing (UDP/500-IKE, TCP/23-Telnet, etc.), ESP packets being sent from the router in Tashkent are not making it back to their IPSec peers. We queried the ISP, and after much hemming and hawing, the ISP reports that their upstream provider, the state-run UzbekTelecom, were blocking the ESP, and have unblocked it. Trouble is that they only unblocked it to one destination, my other 3 tunnels remain down. Of course we are concerned that they will reverse course and re-block ESP to everywhere, so we're trying to explore options for disguising ESP. Currently, folks at the site are using Cisco VPN client against a 3005 concentrator using TCP encapsulation, which works fine. Question is, can I get 2 IOS-based routers to encapsulate ESP inside TCP? And if so, how?


Re: TCP Encapsulation for ESP traffic - possible?

Ipsec in TCP (or UDP) is called NAT-Traversal or NAT-Transparency. The peers automatically detect NAT and negotiate NAT-T during the IKE exchange.

Not sure if you can force it but if you configure it the peers may prefer it.

New Member

Re: TCP Encapsulation for ESP traffic - possible?

Thanks for the reply. NAT-T is UDP only (port 4500), and will auto-negotiate as you mentioned, but ONLY if it detects a NAT in the path, which can be introduced by a NAT-on-a-stick approach. Tested this and works fine, but if the state blocks ESP, likely they're sharp enough to block UDP/4500, heck if they blocked IKE, we'd be dead with no recourse. I was hoping for a similar solution to TCP encap on the VPN Client, but I've finally decided that it just does not exist today (but it should!)

New Member

Re: TCP Encapsulation for ESP traffic - possible?

if they are not blocking GRE then you can go for the other option, i.e. IPSec inside GRE instead of GRE inside IPSec.

Just change the interesting traffic for the ipsec from:

permit gre host x host y


permit ip lanA lanB

this will make the IPSec header as the inside header and GRE header as the outsied header.

Do not forget to make the ipsec transform set in transport mode as IPSec inside GRE only works in transport mode.

hope that this helps

New Member

Re: TCP Encapsulation for ESP traffic - possible?

You can (on PIX OS 7.x and later) and on the ASA's configure which TCP port can be used as well for nat-traversal with the following command:

isakmp ipsec-over-tcp port 15000

The VPN Concentrators also support nat-traversal over TCP. I am unsure whether the current IOS routers support it.

Hope this helps


CreatePlease to create content