There are two methods that can overcome this issue.
1. IPsec over UDP
IPsec peers try to discover if NAT/PAT device in between by NAT-D payload, if yes, two ipsec peers will automatically use UDP port 4500 to setup IPsec session, after control-plane is established successfully, data-plane traffic like ESP will also be encapsulated into UDP port 4500, in this way it can overcome ESP blocked by service provider. this method does not need any configuration if only the 2 peers support this feature.
However, if there is no NAT device in between, IKE will negotiated in native mode(UDP 500), data-plane traffic will be encapsulated into ESP, the data traffic will be failed if ESP blocked by SP.
2. IPsec over TCP
This method need to configure CTCP on both sides manually, for example, 'crypto isakmp ctcp port 10000' on both sides, then both control-plane and data-plane traffic will be encapsulated into TCP, in this way also can overcome ESP blocked by service provider.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...