09-23-2004 06:13 AM - edited 02-21-2020 01:21 PM
hello,
I try to connect 2 remote VPN3005 (version 4.01)in LAN-to-LAN, one of the concentrator is behind a FW (Linux) . We configure for this connection IPSec NAT Transparency on port 20000. The FW allows only the port 2000 in input on its public interface and translate it to the pub interface of the VPN3005.
The connection etablishes well when from the concentrator behind the Fw to the other. The connection in the reverse way doesn't work properly (sometimes OK, sometimes not). So I have 2 questions :
- I've made capture on the pub intf of the FW and I see ISAKMP UDP 500 trafic, do we have to allow this port on the FW ?
- When i kill a session (Administer session "logout"), am i sure that the session is really down (no timeout or other ) ?
thanks for your help
09-26-2004 08:40 PM
If this is UDP NAT Transparency you're talking about, then yes, you still have to allow UDP/500. UDP NAT-T is only for the ESP packets, the data packets of the connection. The actual tunnel build process is still done on UDP/500, the standard IKE port.
This is because PAT devices don't have trouble with the IKE packets because they're UDP, they have trouble with the ESP packets because they're not UDP or TCP, for this reason only those are encapsulated into UDP.
Not sure what you're getting at with your 2nd question. If the session is no longer listed as a session then you can be fairly sure that it's been disconnected.
09-28-2004 08:02 AM
ello
and thanks for your answer,
what I'm try to do is IPSec over TCP (not UDP NAT Trans) but I've jus tread in CISCO VPN 3005 configuratio guide that "IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections."
So does that means that I can't do IPSec over TCP in a LAN-to-LAN connection and that I must use UDP NAT Trans on port 4500 ?
reagrds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide