04-25-2014 08:40 PM - edited 02-21-2020 07:37 PM
Hi Everyone,
I connected to VPN IPSEC RA connection.
Connection works fine.
Here is setup
PC---R1----R2--R3--------------ISP----------------ASA
I check on R3
R3 CBAC is configured.
R3# sh ip inspect sessions | inc 96.51.x.x
Session 65719DB4 (192.168.98.6:59936)=>(96.51.x.x:4500) udp SIS_OPEN
When ipsec vpn connection is established it only shows that it is connected on port 4500 not 500?
is this default behaviour?
Initally when it was establishing theVPN connection it was showing both udp 500 and 4500 ports.
Regards
MAhesh
Solved! Go to Solution.
04-25-2014 11:38 PM
There is NAT/PAT in between R3 and ASA. as you use private IP address(192.168.98.6) to setup the ipsec session. IKE will detect NAT/PAT exist by NAT-D payload. IKE will use UDP 4500 to negotiate ISAKMP rather than UDP 500. Afterwards, ESP traffic is also encapsulated in UDP 4500, in this way it can traverse NAT/PAT safely.
So this behavior is expected.
04-25-2014 11:57 PM
You can refer this RFC for more details: UDP Encapsulation of IPsec ESP Packets
http://www.ietf.org/rfc/rfc3948.txt.pdf
04-25-2014 11:38 PM
There is NAT/PAT in between R3 and ASA. as you use private IP address(192.168.98.6) to setup the ipsec session. IKE will detect NAT/PAT exist by NAT-D payload. IKE will use UDP 4500 to negotiate ISAKMP rather than UDP 500. Afterwards, ESP traffic is also encapsulated in UDP 4500, in this way it can traverse NAT/PAT safely.
So this behavior is expected.
04-25-2014 11:42 PM
Hi David_che
Thanks for the reply.
If you can explain in detail that will be much appreciated.
Regards
MAhesh
04-25-2014 11:57 PM
You can refer this RFC for more details: UDP Encapsulation of IPsec ESP Packets
http://www.ietf.org/rfc/rfc3948.txt.pdf
04-26-2014 08:43 AM
Thanks David
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide