IPSec VPN Questions

Lifeisbeautiful — Fri, 21 Feb 2020 14:57:24 GMT

Hello Everyone,

Greetings !!

I have some questions in my mind and I was hopeing if you guys can answer.

1) Say you have to create IPSEC VPN between two FW, but say FW 1 sit behind NAT device and you need to enable NAT-T on it but FW2 has direct connection to internet (it does not site behind NAT) , so if I think you dont need to enable NAT-T on FW2. Will it work if you have FW1 NAT-T enabled and FW2 no NAT-T ? Or do you have to enable NAT-T on both FWs, will it be a problem?

2) If see message "Jun 09 12:11:32 [IKEv1]IP = X.X.X.X, Maximum concurrent IKE negotiations exceeded" , when can we expect this message and if we can fix this error

3) If you enable DPD on on FW and on the other firewall if you disable DPD, will it cause issues for the tunnel or will it be ok.

Thanks in advance.

Maria

Re: IPSec VPN Questions

Murali — Thu, 14 Dec 2017 01:06:07 GMT

1) For NAT-T to work both ends should be enabled

https://supportforums.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

2) sounds like a capacity issue

3) DPD should be enabled on both sides.

Thank You

Murali.

~Impossible is often the untried

topic Re: IPSec VPN Questions in Network Security

IPSec VPN Questions

Re: IPSec VPN Questions