cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
2
Replies

Is IPSec over UDP through an existing IPSec SA doable?

paul.m.phelps
Level 1
Level 1

I have an existing IPSec SA established between a Cisco VPN 3002 Hardware Client and a Cisco VPN 3000 Concentrator. A user behind the VPN 3002 device has a laptop with Cisco VPN Client Software and is attempting to establish an IPSec over UDP sesson to a Concentrator behind our VPN 3000. The IPSec over UDP session is not being established. Is this doable? Is it possible to setup IPSec encapsulation within an IPSec encapsulation session? Thanks in advance for any responses.

2 Replies 2

nefkensp
Level 5
Level 5

Technically it should be possible, if access-lists permit udp and esp traffic through the IPSEC tunnel (both on the hw client and concentrator1)

Make sure that the VPN HW Client is connected in network-extension mode.

Then, set the MTU size on the outer concentrator (the one you're connecting to) to a lower value, for example 1326. Usually ethernet packets have an MTU of 1500. When these packets flow through a tunnel, the packets are encapsulated within a tunnel-specific packet.

So, if you're going to encapsulate an ISPEC tunnel inside another one, make sure that the packetsize of the inner-most packet (e.g. the VPN Client software) sends data with an MTU size that is accepted by the tunnel between the 3002 and the concentrator.

If this doesn't work, it might be possible that the nat-traversal detection mechanism "sees" that no nat is in place and therefore uses ESP to encapsulate the traffic. You can bypass this by enabling IPSEC over TCP on the concentrator (and VPN SW client)

Hope this helps you a bit under way

Pieter-Jan

PS: Is there a reason why you'd like to encrypt an IPSEC tunnel within another tunnel?

Thanks for your feedback. Greatly appreciated.

Got pulled away on some other network issues that came up but am still planning to get back to this one soon. Will send some feedback when I get it working.

Regarding the double IPSec tunnel question, we're a military organization and we require our small remote office (ISP DSL modem) to connect to us via IPSec to get to our resources. A user at the remote office also has his own requirement to connect via IPSec over UDP to a different set of resources elsewhere within the military. This reminds me that I need to look at ports within firewalls along the way too.