Using UDP 4500 even with no NAT

slewe · ‎01-14-2005

Is there a way to force ESP to use udp 4500 on a Pix or IOS Router even though there is no NAT/PAT between the two VPN endpoints? It seems that even thought I hard code udp-encapsulation, it still uses ESP because NAT/PAT is not detected.

ehirsel · ‎01-16-2005

What version of pix code and ios code are you using? Is there another type of vpn endpoint that is not running ios or pix code that you are testing with, such as a Linksys router? Or are the two endpoints using only pix and/or ios code?

slewe · ‎01-17-2005

I am using Pix 6.3.4 and IOS 12.3.12. No other endpoints at this time. Just the Pix and IOS router.

ehirsel · ‎01-18-2005

This URL is helpful in describing how NAT-T works.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html#1049093

Basically nat-d packets are used to detect whether or not a nat/pat devices exists and only if one does exisit, detected by comparing hash-values, is nat-traversal used, otherwise it is not.

Thus according to the standard, using udp port 4500 will only be done if there is a nat/pat device otherwise the standard ESP protocol (id=50) is used.

Let me know if you need more help.

slewe · ‎01-18-2005

Thanks! That answers my question.