Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
4
Replies

IPSEC through NAT (UDP encapsulated - cisco VPN 3000 series and WinRoute)

mike.nguyen
Level 1
Level 1

‎11-26-2001 04:32 PM - edited ‎02-21-2020 11:30 AM

Hi,

Does anyone know if it's possible to have multiple simultaneous IPSEC through NAT tunnels behind a PAT device? The PAT device that I'm referring to is actually a software router/firewall called WinRoute that runs on a separate PC. WinRoute supposedly NAT UDP traffic. One end of the tunnel is a Cisco VPN 3000 concentrator and the other end(s) are remote PCs running the Cisco VPN 3000 software client. The remote PCs are behind the WinRoute machine. I can get the first tunnel up just fine but could not get a second tunnel up from another PC. Is there some configuration that I must perform on the concentrator or does someone know about a problem with WinRoute?

thanks,

Mike

Labels:
0 Helpful
4 Replies 4

mike.nguyen
Level 1
Level 1

‎11-26-2001 06:51 PM

I found out that WinRoute does not perform PAT of UDP/500 to a unique port number for each simultaneous connection. The VPN concentrator will not be able to distinguish the different connections because the source addresses for all connections will be the same external IP address with the same UDP port number (500). IKE will not work for more than one connection.

Does anyone know if the Cisco VPN software client can be tricked into initiating the IKE process from a source UDP port higher than 1023. I wonder if by doing this will trick WinRoute into PAT'ing outbound UDP/500 packets with unique UDP source port number for each connections.

Any info would be greatly appreciated.

Mike

0 Helpful

ushafiq
Level 1
Level 1

‎11-27-2001 12:27 PM

IPSec through NAT a feature on VPN3000 can be used in this situation. It wraps the IKE and IPSEC packet in UDP packet, multiple clients behind a PAT device will work fine

0 Helpful

mike.nguyen
Level 1
Level 1
In response to ushafiq

‎11-28-2001 01:51 PM

Maybe i wasn't clear on the original post: IPSec through NAT is currently being used, however, no more than one IPSec thru NAT connection can be set up to go through the PAT device. FYI, IKE already uses UDP/500 so it doesn't need to be further wrapped up in UDP.

0 Helpful

mike.nguyen
Level 1
Level 1

‎11-29-2001 04:06 PM

Well what do you know, release 3.5 for the VPN 3000 series just came out and this version supports IPSec over TCP (both IKE and ESP). This should resolve my issue, hopefully.

0 Helpful
Customers Also Viewed These Support Documents