02-12-2008 09:03 AM - edited 02-21-2020 03:33 PM
Hi, I'm configuring a IPSEC VPN infrastructure with ASA5510 for around 100 concurent Cisco VPN Client and I'm wondering which one of the two IPSEC tunneling technics (IPSEC over UDP or IPSEC over TCP) could be the best for serving my users. I want the solution that will minimize the amount of call received by the helpdesk. Thanks
02-12-2008 10:18 AM
just enable NAT-T. There will be no additional configuration needed on the vpn client.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1120836
02-12-2008 12:14 PM
I already know all this stuff but the real question is the follow: Is it better to use IPSEC over UDP or IPSEC over TCP ? I've seen somewhere that IPSEC over UDP was not compatible with Statefull firewall. I just want to be sure I take the right decision...but the NAT-T is not part of my choice....thanks !!
02-12-2008 12:28 PM
A statefull firewall has no means to keep track of a UDP session. All it can do is look at the session and time it out if it sees no traffic for a specified amount of time. As for a TCP session the statefull firewall can reset the session and track its session numbers. That is the only difference between the two. TCP would be the more secure of the two with respect to session observation...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide