From: Scott Vermillion (scott_ccie_list@it-ag.com)
Date: Tue Nov 13 2007 - 18:38:32 ART
Hi Tomimma,
I went through this a few years back. My client had a policy that all VPNs
be in tunnel mode (don't ask). Yet we needed NAT-T. Not sure if it's still
the case, but at that time, NAT-T meant transport mode - period. I don't
recall all the details and was unable to find a link to post for you that
explains the technical issues, but IIRC it basically came down to tunnel
mode breaking the NAT-T discovery process of inserting the unprotected and
the protected UPD headers into the test ESP probe packet. And NAT-T only
kicks in the UDP port 4500 encapsulation if it is able to detect PAT; it
otherwise does not include the UDP encapsulation. Since your address
translation is all 1:1 NAT, my guess is you can use either transport or
tunnel mode and be just fine. If you have any spokes behind PAT, you'll
need NAT-T and thus transport mode. Although it doesn't explain any of the
technical issues at hand, here's a link which states clearly:
"For these NAT-Transparency Aware enhancements to work, you must use IPsec
transport mode on the transform set."
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guid
e09186a0080110ba1.html#wp1122466
Regards,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
h-tomikawa
Sent: Tuesday, November 13, 2007 1:25 PM
To: ccielab@groupstudy.com
Subject: DMVPN with or without IPSec Transport mode
Hi all,
First of all, sorry for off-topic.
I would like to know if you configure DMVPN, is it necessary to
configure IPSec as "transport" mode. In my situation, some spoke sites
are behind NAT device.
However, NAT is configure 1:1 statically with FW.
I see some CCO Doc explain that it must use "transport" but I really
don't understand why...
Thanks in advance.
Tomimma
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART