Re: IPsec over TCP

russkwong · ‎03-30-2011

Dear Sir/Madam,

I have a problem that when I connect VPN through IPsec over TCP, I will disconnect after establish arround 30s.

The following is my situation:

VPN client --> SSG(PAT) --> Internet --->VPN 3020

I find some document as following:

===========================

IPSec over TCP

IPSec over TCP allows VPN clients to operate in networks where standard ESP (Protocol 50) or IKE (UDP 500) can’t operate because the ports are blocked or they can only function by modifying the existing firewall rules. IPSec over TCP enables secure tunneling through both NAT and PAT devices, as well as firewalls by encapsulating both the IKE and IPSec protocols within TCP packets.

IPSec over TCP is a client-to-Concentrator feature, which supports both the VPN software client and the VPN 3002 hardware client. It doesn’t work for LAN-to-LAN connections. IPSec over TCP works only on the public interface of the VPN devices. To use IPSec over TCP, both the VPN Concentrator and the client must do the following:

Note

IPSec over TCP doesn’t work with proxy-based firewalls.

============================

I have some quesition of the following:

1) secure tunneling through NAT,PAT device mean the client side?

2) IPSec over TCP works on on public interface on the VPN device (mean the client must be public IP ?)

3) SSG is proxy-based FW ?

Regards

Russ

Jennifer Halim · ‎03-31-2011

1) Means any NAT/PAT device along the path between the VPN Client and the VPN server. In your case, it's client side.

2) The vpn client itself does not have to have a public IP configured on its host, however, it would need to be NATed/PATed to a public IP before reaching the Internet.

3) I believe SSG is a Juniper firewall. It depends on whether the proxy feature is enabled on the firewall or not. As long as it doesn't proxy TCP/10000, it's OK.