Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
1
Helpful
2
Replies

VPN3005 IPSec Nat Trans through FW

yallies
Level 1
Level 1

‎09-23-2004 06:13 AM - edited ‎02-21-2020 01:21 PM

hello,

I try to connect 2 remote VPN3005 (version 4.01)in LAN-to-LAN, one of the concentrator is behind a FW (Linux) . We configure for this connection IPSec NAT Transparency on port 20000. The FW allows only the port 2000 in input on its public interface and translate it to the pub interface of the VPN3005.

The connection etablishes well when from the concentrator behind the Fw to the other. The connection in the reverse way doesn't work properly (sometimes OK, sometimes not). So I have 2 questions :

- I've made capture on the pub intf of the FW and I see ISAKMP UDP 500 trafic, do we have to allow this port on the FW ?

- When i kill a session (Administer session "logout"), am i sure that the session is really down (no timeout or other ) ?

thanks for your help

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎09-26-2004 08:40 PM

If this is UDP NAT Transparency you're talking about, then yes, you still have to allow UDP/500. UDP NAT-T is only for the ESP packets, the data packets of the connection. The actual tunnel build process is still done on UDP/500, the standard IKE port.

This is because PAT devices don't have trouble with the IKE packets because they're UDP, they have trouble with the ESP packets because they're not UDP or TCP, for this reason only those are encapsulated into UDP.

Not sure what you're getting at with your 2nd question. If the session is no longer listed as a session then you can be fairly sure that it's been disconnected.

yallies
Level 1
Level 1
In response to gfullage

‎09-28-2004 08:02 AM

ello

and thanks for your answer,

what I'm try to do is IPSec over TCP (not UDP NAT Trans) but I've jus tread in CISCO VPN 3005 configuratio guide that "IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections."

So does that means that I can't do IPSec over TCP in a LAN-to-LAN connection and that I must use UDP NAT Trans on port 4500 ?

reagrds

0 Helpful
Customers Also Viewed These Support Documents