06-15-2012 08:56 AM
Hi Guys,
When using EZVPN IOS client, is there a way to force it to use NAT-T??
I know it automatically uses NAT-T if it detects NAT in the network, however can you force it to use NAT-T even without a NAT??
Cheers
Scott
06-15-2012 10:25 AM
Hi Scott,
yes you can.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1049093
crypto ipsec nat-transparency udp-encapsulation
Hope that helps.
thanks
Rizwan Rafeek
06-15-2012 12:04 PM
Hi Rizwan,
I tried that command, however this is on automatically in 12.4T code, hence it is still using the auto detect feature rather than forcing NAT-T.
Cheers
06-19-2012 06:30 PM
Hi all,
Cisco devices using the NAT-T detection by default and you cannot disable this behaviour as it saves overhead by not encapsulating packets using UDP encapsulation while there is no NAT devices in between, so the proper way is to use NAT-T, But for the software clients it doesn't support NAT-T and works directly using the UDP encapsulation
By default, the Easy VPN hardware client and server encapsulate IPSec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPSec within TCP packets to enable secure tunneling. If your environment allows UDP, however, configuring IPSec over TCP adds unnecessary overhead
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide