Solved: VPN ipsec and port 500

mahesh18 · ‎04-25-2014

Hi Everyone,

I connected to VPN IPSEC RA connection.

Connection works fine.

Here is setup

PC---R1----R2--R3--------------ISP----------------ASA

I check on R3

R3 CBAC is configured.

R3# sh ip inspect sessions | inc 96.51.x.x
Session 65719DB4 (192.168.98.6:59936)=>(96.51.x.x:4500) udp SIS_OPEN

When ipsec vpn connection is established it only shows that it is connected on port 4500 not 500?

is this default behaviour?

Initally when it was establishing theVPN connection it was showing both udp 500 and 4500 ports.

Regards

MAhesh

David_Che · ‎04-25-2014

There is NAT/PAT in between R3 and ASA. as you use private IP address(192.168.98.6) to setup the ipsec session. IKE will detect NAT/PAT exist by NAT-D payload. IKE will use UDP 4500 to negotiate ISAKMP rather than UDP 500. Afterwards, ESP traffic is also encapsulated in UDP 4500, in this way it can traverse NAT/PAT safely.

So this behavior is expected.

View solution in original post

David_Che · ‎04-25-2014

You can refer this RFC for more details: UDP Encapsulation of IPsec ESP Packets

http://www.ietf.org/rfc/rfc3948.txt.pdf

View solution in original post

David_Che · ‎04-25-2014

There is NAT/PAT in between R3 and ASA. as you use private IP address(192.168.98.6) to setup the ipsec session. IKE will detect NAT/PAT exist by NAT-D payload. IKE will use UDP 4500 to negotiate ISAKMP rather than UDP 500. Afterwards, ESP traffic is also encapsulated in UDP 4500, in this way it can traverse NAT/PAT safely.

So this behavior is expected.

mahesh18 · ‎04-25-2014

Hi David_che

Thanks for the reply.

If you can explain in detail that will be much appreciated.

Regards

MAhesh

David_Che · ‎04-25-2014

You can refer this RFC for more details: UDP Encapsulation of IPsec ESP Packets

http://www.ietf.org/rfc/rfc3948.txt.pdf

mahesh18 · ‎04-26-2014

Thanks David

MAhesh