Re: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Hello Kim

As Tyson mentioned, the NAT-T protocol was designed to negotiate and check
if there is any need for UDP encapsulation. If there is no PAT in the
transit path, it will not try to encapsulate the VPN traffic into UDP
transport. This is one of the major advantages of NAT-T over IPSec over UDP.
Another advantage is that NAT-T is that its an open standard and is not
proprietary like IPSec over UDP. This is covered in more details in Richard
Deal's VPN Book.

"Cisco products have three separate solutions....... Of the three solutions,
IPsec over UDP and IPsec over TCP are proprietary to Cisco. With IPsec over
UDP, a standard UDP header is *always* inserted after the outer IP header
and before the ESP header. This solves the address translation issue for
PAT; however, the device is always performing this process even if no
address translation device resides between the two IPsec peers performing
PAT. The main problem of the Cisco UDP is that you always have the overhead
of the UDP segment even if no address translation is occurring"
pg 125, Deal, The Complete Cisco VPN Config Guide

I hope this explains why you are seeing this behavior.

Regards

Farrukh

On Fri, Jan 22, 2010 at 6:59 PM, Kim Teu ??? Teu Kim Loon <kim.teu_at_gmail.com
> wrote:

> Thanks Tyson for your advice. I should have included more info. I am trying
> to get an understanding of the protocol behavior.
>
> The client is coming from public IP 137.65.x.x address behind FWSM with not
> NAT enabled. Are you saying that in this case, the VPN client would not
> try
> to connect via UDP 4500. If we didn't have IPSec over UDP 10000 enabled, it
> will default to ESP. If we have IPSec over UDP 10000 enabled, this will be
> the default? Am I right?
>
> Thanks.
> Amituofo, Amitabha
> Kim
>
>
> -----Original Message-----
> From: Tyson Scott [mailto:tscott_at_ipexpert.com]
> Sent: Friday, January 22, 2010 9:47 AM
> To: 'Kim Teu ??? Teu Kim Loon'; 'Farrukh Haroon'
> Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
> Subject: RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN
>
> Kim,
>
> Going back to the original post, it will do you well to add more info in
> the
> future. Is the actual client behind the FWSM being NAT'ed? You have never
> given information about whether this is the case or not. If the client is
> using public address space or private address space that you route between
> the two sites then just because it is behind a firewall does not make the
> client attempt to connect via UDP 4500.
>
> Doing things like adding debug output; giving source destination data; and
> steps you have taken are going to isolate the problem, make it more likely
> that you will get an answer that will help you. A debug crypto isakmp
> <somewhere between 127 and 255> on the VPN hub would be a really good place
> to start.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Kim
> Teu ??? Teu Kim Loon
> Sent: Friday, January 22, 2010 10:21 AM
> To: 'Farrukh Haroon'
> Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
> Subject: RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN
>
> Yes, NAT-T UDP 4500 and IPSec over UDP are working fine. I also have the
> "IPSEC over UDP"/NAT-T option on the VPN client enabled. I question is
> that
> when would on protocol used over the other.
>
>
>
> Thanks.
>
> Kim
>
>
>
>
>
>
>
> _____
>
> From: Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
> Sent: Friday, January 22, 2010 4:55 AM
> To: Kim Teu ??? Teu Kim Loon
> Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
> Subject: Re: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN
>
>
>
> Did you enable the "IPSEC over UDP"/NAT-T option on the VPN client? Just
> have to check an option in the VPN client properties.
>
> On Fri, Jan 22, 2010 at 12:22 AM, Kim Teu ??? Teu Kim Loon
> <kim.teu_at_gmail.com> wrote:
>
> Hello Expert,
> When NAT-T, IPSec over UDP 10000 & TCP 10000 is enabled, what's the order
> of
> operation? Is NAT-T always the priority?
>
> I have a ASA VPN head end with Remote Access VPN configured and NAT-T
> enabled.
>
> PC User with Cisco VPN client at a remote site behind FWSM is having
> problem
> connecting using UDP 4500. The connection is going over IP-Proto 50. It's
> only working when I enabled IPSec over UDP 10000 or allow IP-Proto 50
> inbound.
>
> The client site firewall has outbound permit any any.
>
> Any idea why?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 22 2010 - 22:29:58 ART