Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
4
Replies

TCP Encapsulation for ESP traffic - possible?

brad.bartlett
Level 1
Level 1

‎08-21-2006 10:20 AM

I have GRE/IPSec tunnels created to a remote site in Tashkent, Uzbekistan, running fine for over a year. Recently, the site went offline, troubleshooting shows that while some traffic is still flowing (UDP/500-IKE, TCP/23-Telnet, etc.), ESP packets being sent from the router in Tashkent are not making it back to their IPSec peers. We queried the ISP, and after much hemming and hawing, the ISP reports that their upstream provider, the state-run UzbekTelecom, were blocking the ESP, and have unblocked it. Trouble is that they only unblocked it to one destination, my other 3 tunnels remain down. Of course we are concerned that they will reverse course and re-block ESP to everywhere, so we're trying to explore options for disguising ESP. Currently, folks at the site are using Cisco VPN client against a 3005 concentrator using TCP encapsulation, which works fine. Question is, can I get 2 IOS-based routers to encapsulate ESP inside TCP? And if so, how?

Labels:
0 Helpful
4 Replies 4

grant.maynard
Level 4
Level 4

‎08-22-2006 01:52 PM

Ipsec in TCP (or UDP) is called NAT-Traversal or NAT-Transparency. The peers automatically detect NAT and negotiate NAT-T during the IKE exchange.

Not sure if you can force it but if you configure it the peers may prefer it.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

0 Helpful

brad.bartlett
Level 1
Level 1
In response to grant.maynard

‎08-23-2006 12:56 PM

Thanks for the reply. NAT-T is UDP only (port 4500), and will auto-negotiate as you mentioned, but ONLY if it detects a NAT in the path, which can be introduced by a NAT-on-a-stick approach. Tested this and works fine, but if the state blocks ESP, likely they're sharp enough to block UDP/4500, heck if they blocked IKE, we'd be dead with no recourse. I was hoping for a similar solution to TCP encap on the VPN Client, but I've finally decided that it just does not exist today (but it should!)

0 Helpful

puagarwa
Level 1
Level 1
In response to brad.bartlett

‎08-23-2006 03:33 PM

if they are not blocking GRE then you can go for the other option, i.e. IPSec inside GRE instead of GRE inside IPSec.

Just change the interesting traffic for the ipsec from:

permit gre host x host y

to:

permit ip lanA 0.0.0.255 lanB 0.0.0.255

this will make the IPSec header as the inside header and GRE header as the outsied header.

Do not forget to make the ipsec transform set in transport mode as IPSec inside GRE only works in transport mode.

hope that this helps

0 Helpful

nefkensp
Level 5
Level 5
In response to brad.bartlett

‎08-28-2006 07:33 AM

You can (on PIX OS 7.x and later) and on the ASA's configure which TCP port can be used as well for nat-traversal with the following command:

isakmp ipsec-over-tcp port 15000

The VPN Concentrators also support nat-traversal over TCP. I am unsure whether the current IOS routers support it.

Hope this helps

PJ

0 Helpful
Customers Also Viewed These Support Documents