cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3847
Views
20
Helpful
10
Replies

VPN client with transport tunneling IPSEC over TCP not working

mahesh18
Level 6
Level 6

 

 Hi Everyone,

 

VPN client is working  fine withe transport tunneling  IPSEC over UDP.

I did test to see if it works when i selected VPN client with ipsec over tcp.

Under group policy i disabled the IPSEC over UDP and selected UP port 10000

But VPN connection did not work.

What should i do to make VPN work using IPSEC over TCP

 

Regards

MAhesh

 

2 Accepted Solutions

Accepted Solutions

Mahesh,

You have to use "crypto ikev1 ipsec-over-tcp port 10000"

As crypto isakmp ipsec-over-tcp work on below 8.3 image

 

HTH

 

View solution in original post

Hello Mahesh,

The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.

 

HTH

 

"Please do rate helpful posts"

View solution in original post

10 Replies 10

Poonam Garg
Level 3
Level 3

On the server you have to give the command to make ipsec work over tcp

Router(config)# crypto ctcp port 10000

 

HTH

 

 

Hi Poonam,

 

On ASA

 

ASA1(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Certification authority
ASA1(config)# crypto  ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters
ASA1(config)# crypto  ipsec

 

there is no command with ctcp?

 

Regards

Mahesh

Hello Mahesh,

 My mistake, That command work on router

To enable IPsec over TCP globally on the security appliance, enter the following command:

crypto isakmp ipsec-over-tcp [port port 1...port0]

This example enables IPsec over TCP on port 45:

hostname(config)# crypto isakmp ctcp port 45

Refer this document

 

 

Hi Poonam,

 

ASA1(config)# crypto isakmp ?

configure mode commands/options:
  disconnect-notify  Enable disconnect notification to peers
  identity           Set identity type (address, hostname or key-id)
  nat-traversal      Enable and configure nat-traversal
  reload-wait        Wait for voluntary termination of existing connections
                     before reboot


Still no luck

 

Regards

Mahesh

Please check the current version if support this feature.

 

it is 9.1(1).

Mahesh,

You have to use "crypto ikev1 ipsec-over-tcp port 10000"

As crypto isakmp ipsec-over-tcp work on below 8.3 image

 

HTH

 

 

Hi Poonam,

I config


ASA1(config)# crypto ikev1 ipsec-over-tcp port 10000


after this i was able to connect with IPSEC over TCP fine.

Need to know one thing more that even i did above config if i use IPSEC over

UDP  on User PC vpn client it still works.

Need to know how IPSEC over UDP also works with above config on ASA?

 

Regards

MAhesh

Hello Mahesh,

The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes precedence over all other connection methods. Refer this document.

 

HTH

 

"Please do rate helpful posts"

 

Many thanks Poonam

MAhesh