04-25-2014 09:50 PM - edited 02-21-2020 07:37 PM
Hi Everyone,
VPN client is working fine withe transport tunneling IPSEC over UDP.
I did test to see if it works when i selected VPN client with ipsec over tcp.
Under group policy i disabled the IPSEC over UDP and selected UP port 10000
But VPN connection did not work.
What should i do to make VPN work using IPSEC over TCP
Regards
MAhesh
Solved! Go to Solution.
04-26-2014 04:19 AM
Mahesh,
You have to use "crypto ikev1 ipsec-over-tcp port 10000"
As crypto isakmp ipsec-over-tcp work on below 8.3 image
HTH
04-26-2014 10:01 PM
Hello Mahesh,
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.
HTH
"Please do rate helpful posts"
04-25-2014 10:23 PM
On the server you have to give the command to make ipsec work over tcp
Router(config)# crypto ctcp port 10000
HTH
04-25-2014 10:23 PM
Hi Poonam,
On ASA
ASA1(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
ASA1(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA1(config)# crypto ipsec
there is no command with ctcp?
Regards
Mahesh
04-25-2014 11:11 PM
Hello Mahesh,
My mistake, That command work on router
To enable IPsec over TCP globally on the security appliance, enter the following command:
crypto isakmp ipsec-over-tcp [port port 1...port0]
This example enables IPsec over TCP on port 45:
04-25-2014 11:26 PM
Hi Poonam,
ASA1(config)# crypto isakmp ?
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections
before reboot
Still no luck
Regards
Mahesh
04-25-2014 11:47 PM
Please check the current version if support this feature.
04-25-2014 11:50 PM
it is 9.1(1).
04-26-2014 04:19 AM
Mahesh,
You have to use "crypto ikev1 ipsec-over-tcp port 10000"
As crypto isakmp ipsec-over-tcp work on below 8.3 image
HTH
04-26-2014 08:36 AM
Hi Poonam,
I config
ASA1(config)# crypto ikev1 ipsec-over-tcp port 10000
after this i was able to connect with IPSEC over TCP fine.
Need to know one thing more that even i did above config if i use IPSEC over
UDP on User PC vpn client it still works.
Need to know how IPSEC over UDP also works with above config on ASA?
Regards
MAhesh
04-26-2014 10:01 PM
Hello Mahesh,
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.
HTH
"Please do rate helpful posts"
04-27-2014 07:10 AM
Many thanks Poonam
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide