VPN concentrators requiring UDP source port 500

subaa · ‎01-05-2006

Hi,

Could you please tell me some vendors, whose IPSec implementation always requires thet the originating side ISAKMP port MUST have UDP 500?

My problem is that I have to PAT IPSec connections without nat traversal, which is working with "ip nat service esp spi-match - in IOS" correctly, isakmp is PATed normally. I would like to know some examples, where this solution won't work without nat traversal.

Thanks,

A_a

jackko · ‎01-05-2006

ipsec is the industry standard, so all vendors should implement it with the same ports.

instead of configuring nat-t (i.e. ipsec over udp), concentrator supports ipsec over tcp.

on the concentrator, go Configuration | Tunneling and Security | IPSec | NAT Transparency.

according to the cisco doco:

IPSec over TCP

IPSec over TCP enables a VPN client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.

Note This feature does not work with proxy-based firewalls.

IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections.

*

The VPN Concentrator can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data.

*

The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP.

*

When enabled, IPSec over TCP takes precedence over all other methods.

*

When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.

To use IPSec over TCP, both the VPN Concentrator and the client must:

*

Be running version 3.5 or later software.

*

Enable IPSec over TCP.

*

Configure the same port for IPSec over TCP on both the Concentrator and the client.

You enable IPSec over TCP on both the Concentrator and the client to which it connects. For software clients, refer to the VPN Client User Guide for configuration instructions. For the VPN 3002 hardware client, refer to the VPN 3002 Hardware Client Getting Started guide, and to the VPN 3002 Hardware Client Reference.

If you enter a well-known port, for example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated with that port will no longer work on the public interface. The consequence is that you can no longer use a browser to manage the VPN Concentrator through the public interface. To solve this problem, reconfigure the HTTP/HTTPS management to different ports.

You must configure TCP port(s) on the client as well as on the VPN Concentrator. The client configuration must include at least one of the ports you set for the VPN Concentrator here.

Check the box to enable IPSec over TCP.

TCP Port(s)

Enter up to 10 ports, using a comma to separate the ports. You do not need to use spaces. The default port is 10,000. The range is 1 to 65,635.

subaa · ‎01-05-2006

Sorry to say that man, but this answer does not even has a bowing acquasintance with my question. I need information about OTHER VENDORS, whose IPSec devices will be not available, since IKE is not origiated from UDP 500. So once again the question:

"Could you please tell me some vendors, whose IPSec implementation always requires thet the originating side ISAKMP port MUST have UDP 500?

My problem is that I have to PAT IPSec connections without nat traversal, which is working with "ip nat service esp spi-match - in IOS" correctly, isakmp is PATed normally. I would like to know some examples, where this solution won't work without nat traversal. "

Thanks again,

A_a