Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Tunnel Site-to-Site VPN or Not


I need to link 2 sites together.

My internet providers does not provide VPN passthrough (ESP) protocol or the possibility to put the modem or boxes in bridge mode. Look at the following discussion for more details.


Is there a way to link the 2 sites together with security?

I have to say that GRE protocol works fine.



Everyone's tags (1)
Community Member

Hi,There are two methods that


There are two methods that can overcome this issue.

1. IPsec over UDP 

   IPsec peers try to discover if NAT/PAT device in between by NAT-D payload, if yes, two ipsec peers will automatically use UDP port 4500 to setup IPsec session, after control-plane is established successfully, data-plane traffic like ESP will also be encapsulated into UDP port 4500, in this way it can overcome ESP blocked by service provider. this method does not need any configuration if only the 2 peers support this feature. 

   However, if there is no NAT device in between, IKE will negotiated in native mode(UDP 500), data-plane traffic will be encapsulated into ESP, the data traffic will be failed if ESP blocked by SP.


2. IPsec over TCP

   This method need to configure CTCP on both sides manually, for example, 'crypto isakmp ctcp port 10000' on both sides, then both control-plane and data-plane traffic will be encapsulated into TCP, in this way also can overcome ESP blocked by service provider.



Community Member

Thanks for the information.I

Thanks for the information.

I have looked everywere to know how to do it, but I do not have the command to foolow the exemples. I only found how to listen on port 10000.

router (config)# crypto ctcp port 10000

Now, I need to know witch command I need to type to be able to use TCP?


For your info, I have this boot system flash c800-universalk9-mz.SPA.152-4.M6.bin






Community Member

The only way to make a Site

The only way to make a Site-to-Site VPN work on port 10000 is by doing EzVPN 

Router(config-crypto-ezvpn)#do sh run | sec crypto
crypto ipsec client ezvpn vpn-hw-client
 connect auto
 ctcp port 10000


I hope this helps!

CreatePlease to create content