cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
10
Helpful
5
Replies

VPN Client and ACL

pdriscoll
Level 1
Level 1

Hello. I am trying to set up a VPN connection between a Cisco VPN client and a Cisco 3640 using EZ VPN Server. I have a simple ACL on the inbound 3640 interface that reads:

permit udp any host x.x.x.x eq isakmp

permit esp any host x.x.x.x

permit udp any host x.x.x.x eq 4500

permit tcp any host x.x.x.x eq 10000

This is the only ACL on the 3640 interface.

When I configure the client to connect using Enable Transparent Tunneling -IPSec over UDP (NAT/PAT), I can connect the tunnel. When I select Enable Transparent Tunneling -IPSec over TCP - Port 10000, I cannot connect the tunnel.

Is the problem with the ACL or something else?

Thanks.

5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

Patrick,

The problem most likely is not your ACL. Since you mentioned 3640, my guess is you are running 12.4T Code and the feature that you are looking for wasnt introduced until 12.4(9)T.

IPSec Over TCP feature on routers was introduced in 12.4(9)T. The command that you should be looking for is "crypto

ctcp port [port-number]".

Please refer the below URL for details:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a008055c37a.html#wp1305478

Let me know if it helps.

Regards,

Arul

Arul - thanks for the reply.

We are running 14.4(10). Cannot find the ctcp port-number command, either under conf or int or crypto map mode. Please advise. Thanks.

Patrick,

I think you wanted to type 12.4(10)instead of 14.4(10).

12.4(9)T is part of 12.4T Train code. What you are running currently on the router is a Mainline Code. If you notice, there is no "T" in the version of code that you are running. You may have to upgrade the chassis to 12.4(9)T.

But unfortunately, there is no support of 12.4T Train code on the 3640 and you cannot upgrade the code.

Please refer the below EoS URL that discusses the End Of Software Maintenance Releases for the 3640.

http://www.cisco.com/en/US/products/hw/routers/ps274/prod_eol_notice09186a008032d840.html

So, in your case.. you need to terminate the VPN Client on a different chassis that supports the IPSEC Over TCP feature. For example: VPN3000, Pix 7.0, ASA 7.0 or Router Platform that supports 12.4(9)T Code.

Let me know if it helps.

Regards,

Arul

Thanks for your reply.

If that is the case, can I assume that we can use the IPSec over TCP/UDP port 500 connection? It seems to connect, but we cannot pass traffic over it.

Patrick,

In your case, you should be able to IPSec Over UDP. In this case, the IKE packets uses UDP 500 and IPSEC ESP Packets are wrapped into UDP 4500.

If you can connect and not pass any traffic. The issue may be related to the configuration on the router or specific the user.

Regards,

Arul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: