Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

Tunnel Site-to-Site VPN or Not

adelium904
Level 1
Level 1

‎05-02-2014 07:48 AM

Hi,

I need to link 2 sites together.

My internet providers does not provide VPN passthrough (ESP) protocol or the possibility to put the modem or boxes in bridge mode. Look at the following discussion for more details. 

https://supportforums.cisco.com/discussion/12186456/vpn-ipsec-not-working-solved

 

Is there a way to link the 2 sites together with security?

I have to say that GRE protocol works fine.

 

Thanks

Labels:
0 Helpful
3 Replies 3

David_Che
Level 1
Level 1

‎05-04-2014 08:06 AM

Hi,

There are two methods that can overcome this issue.

1. IPsec over UDP 

   IPsec peers try to discover if NAT/PAT device in between by NAT-D payload, if yes, two ipsec peers will automatically use UDP port 4500 to setup IPsec session, after control-plane is established successfully, data-plane traffic like ESP will also be encapsulated into UDP port 4500, in this way it can overcome ESP blocked by service provider. this method does not need any configuration if only the 2 peers support this feature. 

   However, if there is no NAT device in between, IKE will negotiated in native mode(UDP 500), data-plane traffic will be encapsulated into ESP, the data traffic will be failed if ESP blocked by SP.

 

2. IPsec over TCP

   This method need to configure CTCP on both sides manually, for example, 'crypto isakmp ctcp port 10000' on both sides, then both control-plane and data-plane traffic will be encapsulated into TCP, in this way also can overcome ESP blocked by service provider.

Regards,

David

0 Helpful

adelium904
Level 1
Level 1
In response to David_Che

‎05-06-2014 12:27 AM

Thanks for the information.

I have looked everywere to know how to do it, but I do not have the command to foolow the exemples. I only found how to listen on port 10000.

router (config)# crypto ctcp port 10000

Now, I need to know witch command I need to type to be able to use TCP?

 

For your info, I have this boot system flash c800-universalk9-mz.SPA.152-4.M6.bin

 

thanks

 

 

 

0 Helpful

Juan Rojas
Level 1
Level 1

‎05-09-2014 01:26 PM

The only way to make a Site-to-Site VPN work on port 10000 is by doing EzVPN 

Router(config-crypto-ezvpn)#do sh run | sec crypto
crypto ipsec client ezvpn vpn-hw-client
 connect auto
 ctcp port 10000

 

I hope this helps!

0 Helpful
Customers Also Viewed These Support Documents