Re: IPSEC (NAT-T/UDP/TCP)

kamal-learn · ‎10-08-2006

hi guys

i ve read somewhere that when all options (NAT-T TCP UDP)are enabled for transporting IPSEC traffic especialy when dealing with PAT, the one that take precedence is the IPSEC/TCP,

however when doing some assessements I find out that the answer were NAT-T is that correct please clarify me that ?

thanks in advance

Andrew von Nagy · ‎10-08-2006

My understanding is that IPSec over TCP is preferred when remote clients are traversing a stateful firewall. This is because the stateful firewall can keep track of the TCP session state much better than it can a UDP traffic flow. Also, stateful firewalls are usually configured with a higher session timeout (inactivity) when TCP is in use rather than when UDP is in use.

For remote access VPNs, I have been using TCP without issue. I tried UDP for a while just to compare, and if I let it sit inactive for just a few minutes I would get disconnected. Very annoying.

Andrew

kamal-learn · ‎10-08-2006

thanks AndrewvonNagy ..

yes indeed i know that when using statefull firewall the correct way to go is to use IPSEC/TCP , IPSEC/UDP will not work. but may be i didnt clarify my question in my first post so the situation is here exactly , you have a 3000 series VPN concentrator , you configured on it the tree option NAT-T IPSEC/TCP IPSEC/UDP what amoung them the VPN will use ? certainly the it will give precedence to only one so which one ??

thanks