Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client with transport tunneling IPSEC over TCP not working

 

 Hi Everyone,

 

VPN client is working  fine withe transport tunneling  IPSEC over UDP.

I did test to see if it works when i selected VPN client with ipsec over tcp.

Under group policy i disabled the IPSEC over UDP and selected UP port 10000

But VPN connection did not work.

What should i do to make VPN work using IPSEC over TCP

 

Regards

MAhesh

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Mahesh,You have to use

Mahesh,

You have to use "crypto ikev1 ipsec-over-tcp port 10000"

As crypto isakmp ipsec-over-tcp work on below 8.3 image

 

HTH

 

Silver

Hello Mahesh,The ASA can

Hello Mahesh,

The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.

 

HTH

 

"Please do rate helpful posts"

10 REPLIES
Silver

On the server you have to

On the server you have to give the command to make ipsec work over tcp

Router(config)# crypto ctcp port 10000

 

HTH

 

New Member

 Hi Poonam, On ASA ASA1

 

Hi Poonam,

 

On ASA

 

ASA1(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Certification authority
ASA1(config)# crypto  ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters
ASA1(config)# crypto  ipsec

 

there is no command with ctcp?

 

Regards

Mahesh

Silver

Hello Mahesh,

Hello Mahesh,

 My mistake, That command work on router

To enable IPsec over TCP globally on the security appliance, enter the following command:

crypto isakmp ipsec-over-tcp [port port 1...port0]

This example enables IPsec over TCP on port 45:

hostname(config)# crypto isakmp ctcp port 45

Refer this document

 

New Member

 Hi Poonam, ASA1(config)#

 

Hi Poonam,

 

ASA1(config)# crypto isakmp ?

configure mode commands/options:
  disconnect-notify  Enable disconnect notification to peers
  identity           Set identity type (address, hostname or key-id)
  nat-traversal      Enable and configure nat-traversal
  reload-wait        Wait for voluntary termination of existing connections
                     before reboot


Still no luck

 

Regards

Mahesh

New Member

Please check the current

Please check the current version if support this feature.

New Member

 it is 9.1(1).

 

it is 9.1(1).

Silver

Mahesh,You have to use

Mahesh,

You have to use "crypto ikev1 ipsec-over-tcp port 10000"

As crypto isakmp ipsec-over-tcp work on below 8.3 image

 

HTH

 

New Member

 Hi Poonam,I configASA1

 

Hi Poonam,

I config


ASA1(config)# crypto ikev1 ipsec-over-tcp port 10000


after this i was able to connect with IPSEC over TCP fine.

Need to know one thing more that even i did above config if i use IPSEC over

UDP  on User PC vpn client it still works.

Need to know how IPSEC over UDP also works with above config on ASA?

 

Regards

MAhesh

Silver

Hello Mahesh,The ASA can

Hello Mahesh,

The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.

 

HTH

 

"Please do rate helpful posts"

New Member

 Many thanks PoonamMAhesh

 

Many thanks Poonam

MAhesh

901
Views
20
Helpful
10
Replies