cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
674
Views
0
Helpful
2
Replies

IPSEC (NAT-T/UDP/TCP)

kamal-learn
Level 4
Level 4

hi guys

i ve read somewhere that when all options (NAT-T TCP UDP)are enabled for transporting IPSEC traffic especialy when dealing with PAT, the one that take precedence is the IPSEC/TCP,

however when doing some assessements I find out that the answer were NAT-T is that correct please clarify me that ?

thanks in advance

2 Replies 2

Andrew von Nagy
Level 1
Level 1

My understanding is that IPSec over TCP is preferred when remote clients are traversing a stateful firewall. This is because the stateful firewall can keep track of the TCP session state much better than it can a UDP traffic flow. Also, stateful firewalls are usually configured with a higher session timeout (inactivity) when TCP is in use rather than when UDP is in use.

For remote access VPNs, I have been using TCP without issue. I tried UDP for a while just to compare, and if I let it sit inactive for just a few minutes I would get disconnected. Very annoying.

Andrew

thanks AndrewvonNagy ..

yes indeed i know that when using statefull firewall the correct way to go is to use IPSEC/TCP , IPSEC/UDP will not work. but may be i didnt clarify my question in my first post so the situation is here exactly , you have a 3000 series VPN concentrator , you configured on it the tree option NAT-T IPSEC/TCP IPSEC/UDP what amoung them the VPN will use ? certainly the it will give precedence to only one so which one ??

thanks