10-08-2006 08:10 PM - edited 02-21-2020 02:39 PM
hi guys
i ve read somewhere that when all options (NAT-T TCP UDP)are enabled for transporting IPSEC traffic especialy when dealing with PAT, the one that take precedence is the IPSEC/TCP,
however when doing some assessements I find out that the answer were NAT-T is that correct please clarify me that ?
thanks in advance
10-08-2006 08:50 PM
My understanding is that IPSec over TCP is preferred when remote clients are traversing a stateful firewall. This is because the stateful firewall can keep track of the TCP session state much better than it can a UDP traffic flow. Also, stateful firewalls are usually configured with a higher session timeout (inactivity) when TCP is in use rather than when UDP is in use.
For remote access VPNs, I have been using TCP without issue. I tried UDP for a while just to compare, and if I let it sit inactive for just a few minutes I would get disconnected. Very annoying.
Andrew
10-08-2006 10:26 PM
thanks AndrewvonNagy ..
yes indeed i know that when using statefull firewall the correct way to go is to use IPSEC/TCP , IPSEC/UDP will not work. but may be i didnt clarify my question in my first post so the situation is here exactly , you have a 3000 series VPN concentrator , you configured on it the tree option NAT-T IPSEC/TCP IPSEC/UDP what amoung them the VPN will use ? certainly the it will give precedence to only one so which one ??
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide