Possible to force VPN client to use IPSec over UDP 10,000?

jonathan.hudson · ‎01-24-2005

We recently deployed a 3020 concentrator and the 4.0.2 (B)VPN client (used with Windows 2000). It was originally configured to only support IPSec connections over UDP 10,000.

Then, we had a new requirement to support several users behind the same Internet connection so we opened a TAC and were instructed to turn on IPSec over NAT-T on the concentrator. This worked for the multiple users behind the same Internet connection without having to change anything on the clients.

However, one client (the CIO of course) occassionally visits another company and sits behind their corporate CheckPoint firewall. We jumped through hoops originally to get UPD 10000 opened for him with their firewall group. However, after turning on IPSec over NAT-T on the concentrator, his client initially communicates over UDP 10000, then tries to communicate over UDP 4500 (which is blocked on their corporate firewall). Is there anyway we can force just his client to always use UPD 10000 (and not 4500)?

ehirsel · ‎01-24-2005

This URL from the vpn 3000 version 4.1

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/usermgt.htm config guide may be helpful.

In it there is a group parameter to allow ipsec over udp. Note that if nat-t (transparent tunneling or nat transparency) is enabled under Tunneling and Security then it takes precedence over ipsec/udp. So you may have to turn off nat-t and config the group to use ipsec/udp.

Let me know if this helps.

jonathan.hudson · ‎01-24-2005

We have only one group configured that authenticates via an external RADIUS server. That group is configured for IPSec over UDP (port 10000). NAT-T was enabled under Tunneling Protocols / IPSec / NAT Transparency. This is a global function and affects all groups.

Thus, our dilema: enabling NAT-T so that multiple users behind one Internet connection can connect, and having our CIO's client want to talk over port 4500 (NAT-T) and get blocked by the other company's firewall.

Is there a way to force that one client to not talk NAT-T and stick with IPSec over UDP port 10,000?

ehirsel · ‎01-24-2005

According to the cisco doc that I have read, it is not possible as if nat-t is tried first and both ends detect that the other can use it, it will be used instead of ipsec over udp. What I suggest is that you create another group that allows ipsec/udp and see if that will work. What I do not know is if the vpn concentrator will use the group setting over the global setting; I believe it will. When you configure the 2nd group, see if you can not only enable ipsec/udp but disable the nat-t if it is inherited from the base group.

You may want to try enabling nat-t over TCP port 10000. Maybe the other end will allow TCP connections to that port already. You can modify the existing group setting on the concentrator to allow it as well as nat-t. This way you can just modify the connection entry for the one user having the issue, without impacting other users.

Let me know what you find.

jonathan.hudson · ‎01-31-2005

Thanks for the suggestion. I opened a TAC issue and was told that you cannot force the client to only use UDP 10,000. So I am working with the other company to open port UDP 4500 on their firewall to allow this user to connect to our concentrator from their network.