10-12-2006 07:21 AM
Hello. I am trying to set up a VPN connection between a Cisco VPN client and a Cisco 3640 using EZ VPN Server. I have a simple ACL on the inbound 3640 interface that reads:
permit udp any host x.x.x.x eq isakmp
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq 4500
permit tcp any host x.x.x.x eq 10000
This is the only ACL on the 3640 interface.
When I configure the client to connect using Enable Transparent Tunneling -IPSec over UDP (NAT/PAT), I can connect the tunnel. When I select Enable Transparent Tunneling -IPSec over TCP - Port 10000, I cannot connect the tunnel.
Is the problem with the ACL or something else?
Thanks.
10-12-2006 10:12 AM
Patrick,
The problem most likely is not your ACL. Since you mentioned 3640, my guess is you are running 12.4T Code and the feature that you are looking for wasnt introduced until 12.4(9)T.
IPSec Over TCP feature on routers was introduced in 12.4(9)T. The command that you should be looking for is "crypto
ctcp port [port-number]".
Please refer the below URL for details:
Let me know if it helps.
Regards,
Arul
10-12-2006 12:11 PM
Arul - thanks for the reply.
We are running 14.4(10). Cannot find the ctcp port-number command, either under conf or int or crypto map mode. Please advise. Thanks.
10-12-2006 01:51 PM
Patrick,
I think you wanted to type 12.4(10)instead of 14.4(10).
12.4(9)T is part of 12.4T Train code. What you are running currently on the router is a Mainline Code. If you notice, there is no "T" in the version of code that you are running. You may have to upgrade the chassis to 12.4(9)T.
But unfortunately, there is no support of 12.4T Train code on the 3640 and you cannot upgrade the code.
Please refer the below EoS URL that discusses the End Of Software Maintenance Releases for the 3640.
http://www.cisco.com/en/US/products/hw/routers/ps274/prod_eol_notice09186a008032d840.html
So, in your case.. you need to terminate the VPN Client on a different chassis that supports the IPSEC Over TCP feature. For example: VPN3000, Pix 7.0, ASA 7.0 or Router Platform that supports 12.4(9)T Code.
Let me know if it helps.
Regards,
Arul
10-13-2006 06:52 AM
Thanks for your reply.
If that is the case, can I assume that we can use the IPSec over TCP/UDP port 500 connection? It seems to connect, but we cannot pass traffic over it.
10-13-2006 08:11 AM
Patrick,
In your case, you should be able to IPSec Over UDP. In this case, the IKE packets uses UDP 500 and IPSEC ESP Packets are wrapped into UDP 4500.
If you can connect and not pass any traffic. The issue may be related to the configuration on the router or specific the user.
Regards,
Arul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: