cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2698
Views
5
Helpful
21
Replies

Satellite VPN

Robert Craig
Level 3
Level 3

I have an IPSEC VPN across a satellite connection. My satellite provider provides TCP acceleration from both ends to make the experience better, which it does for most traffic. However, with my IPSEC VPN (router on my end and pix on the other), the traffic is encrypted in UDP 500 traffic so the TCP headers are never seen and can't be accelerated. My thoughts on this is to use IPSEC over TCP, much like some people do when NAT comes into play or some weird firewall. Would this work? If I configure my 2811 to use IPSEC over TCP (isakmp ctcp port 45 or something similar), then the TCP acceleration would be able to do it's job. My only fear is the PIX 515e on the other end of the tunnel won't support this feature. Any help is appreciated.

21 Replies 21

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The Command Reference for PIX software 7.0 does include the following command. I have never tried this but does seem to point to the fact that you could configure what you are talking about

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1645243

isakmp ipsec-over-tcp

To enable IPSec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPSec over TCP, use the no form of this command.

isakmp ipsec-over-tcp [port port1...port10]

no isakmp ipsec-over-tcp [port port1...port10]

Syntax Description


port port1...port10

(Optional) Specifies the ports on which the device accepts IPSec over  TCP connections. You can list up to 10 ports. Port numbers can be in the  range 1-65535. The default port number is 10000.

Defaults

The default value is disabled.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Command History


Release
Modification

7.0

This command was introduced.

Examples

This example, entered in global configuration mode, enables IPSec over TCP on port 45:

hostname(config)# isakmp ipsec-over-tcp port 45

- Jouni

OK, I'll give it a shot. Thanks!

Hi Robert, did you finally managed to get the IPSec tunnel working and TCP accelerated using Easy VPN with ctcp?
 

Hi,

Are we talking about a L2L tunnel?

The isakmp ipsec-over-tcp port command enables the PIX to connect to a Cisco VPN Software and Hardware Client on any port for IPsec over TCP, not L2L tunnels.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080645722.shtml#intro

Please let me know if you have any questions.

Oh, actually, yeah I guess it would be a L2L tunnel. What is my situation considered then? Pix 515E to 2811. All traffic going to Pix LAN gets caught by a route-map, otherwise all traffic goes out regular internet. Oh, and the goal of this whole project is to extend VOIP services to users hanging off of satellite. CUCM is located behind PIX and satellite users using a local CME with H323 trunk to CUCM.

Hi Robert,

Since you have a Router and a PIX, I would suggest Easy VPN. With this topology IPsec over TCP is supported.

To define who is the client and the server its up to you.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html#wp1017851

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdm5505.pdf

Please let me know.

* Please do not forget to rate the posts if you find some help.

OK, I might try that method. If I do it this way, do you think my satellites TCP acceleration will kick in and help things?

Dear Robert,

As long as the VPN connection gets established with IPsec over TCP on port 10000, then the ISP will see these packets traversing their transit networks, I just hope this TCP accelaration does not manipulate or change the TCP packet in a way that the tunnel would not work, however, this is something you might want to try since it is quite simple to test.

Please let me know.

Thanks.

OK, I'll try it tonight. Just to make sure, I need to apply isakmp ctcp port 10000 on both devices?

Yes, It would be better.

Thanks.

OK. My pix also terminates other VPN tunnels that use the standard UDP 500 port. If I apply this command, will it break those connection or will it allow the PIX to use either one?

Should not be a problem.

If the client does not have IPsec over TCP enabled, then it will not use it.

LAN-to-LANs will ignore it.

Keep me posted.

Thanks in advance.

Will do! Thanks!

OK, so I tried it remotely from my office and ended up kicking the  router off the VPN. I used the below link to configure the 2811. On the  PIX I just created another client policy with the ASDM. However, the  link never came back up. Do I have to do any static routing at the 2811  or on the PIX for each others LAN to work with EZVPN?

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html