Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN concentrator/Cisco VPN client and UDP

Reply
Thread Tools

VPN concentrator/Cisco VPN client and UDP

 
 
mikester
Guest
Posts: n/a
 
      02-06-2004
We have a Cisco VPN concentrator that we use to connect to our
network. The location of our concentrator dictates that we must use
UDP to creat our ipsec tunnel (firewall in the path).

This means we aren't using AH and ESP is configured to be the method
of encryption. My question is that in the UDP only configuration what
is the anti replay safety measure used and is this implementation
based on an RFC or is it simply Cisco's way around VPN through PAT?

Thanks,

The mikester
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-06-2004
In article <(E-Mail Removed) >,
mikester <(E-Mail Removed)> wrote:
:We have a Cisco VPN concentrator that we use to connect to our
:network. The location of our concentrator dictates that we must use
:UDP to creat our ipsec tunnel (firewall in the path).

:This means we aren't using AH and ESP is configured to be the method
f encryption. My question is that in the UDP only configuration what
:is the anti replay safety measure used and is this implementation
:based on an RFC or is it simply Cisco's way around VPN through PAT?

Are you using NAT-T (NAT Traversal)? UDP 4500? If you are,
then you can enable AH if you want: AH will be encapsulated as well.

Cisco's NAT-T is based upon an IETF draft standard,
http://www.ietf.org/html.charters/ipsec-charter.html
--
Warning: potentially contains traces of nuts.
 
Reply With Quote
 
 
 
 
mikester
Guest
Posts: n/a
 
      02-06-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<c00jma$52$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> mikester <(E-Mail Removed)> wrote:
> :We have a Cisco VPN concentrator that we use to connect to our
> :network. The location of our concentrator dictates that we must use
> :UDP to creat our ipsec tunnel (firewall in the path).
>
> :This means we aren't using AH and ESP is configured to be the method
> f encryption. My question is that in the UDP only configuration what
> :is the anti replay safety measure used and is this implementation
> :based on an RFC or is it simply Cisco's way around VPN through PAT?
>
> Are you using NAT-T (NAT Traversal)? UDP 4500? If you are,
> then you can enable AH if you want: AH will be encapsulated as well.
>
> Cisco's NAT-T is based upon an IETF draft standard,
> http://www.ietf.org/html.charters/ipsec-charter.html


Walter,

No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
over UDP as configured in the VPN Concentrator on the group "client
config" menu. 10000 is a user configurable port - I'm using the
default entry.

This is the description:

Check to allow a client to operate through a NAT device using UDP
encapsulation of ESP.

It seems to be working as desired but I need to find some
documentation to support it.

I'm looking in the CCSP documentation and of course Cisco's website
now. Any leads though are appreaciated.

-Mike
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      02-06-2004
In article <(E-Mail Removed) >,
mikester <(E-Mail Removed)> wrote:
:No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
ver UDP as configured in the VPN Concentrator on the group "client
:config" menu. 10000 is a user configurable port - I'm using the
:default entry.

:This is the description:

:Check to allow a client to operate through a NAT device using UDP
:encapsulation of ESP.

:It seems to be working as desired but I need to find some
:documentation to support it.

It uses regular IPSec protection methods.

http://www.cisco.com/warp/public/471/nat_trans.pdf

The UDP encapsulation that you are using is, though, a Cisco extension.
UDP 4500 is the port that would be used if you were using the
IETF draft standard to negotiate NAT-T. (NAT-T has additional
features to negotiate AH and detect the place(s) at which NAT
is taking place.)

You can deduce the above from
http://www.cisco.com/univercd/cc/td/...ol/install.htm


If you are running a Linux firewall (for example, ipchains or
iptables), be sure that the following types of traffic are allowed
to pass through:

UDP port 500
UDP port 10000 (or any other port number being used for IPSec/UDP)
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP
NAT-T (Standards-Based NAT Transparency) port 4500

and by omission, one can see that UDP 10000 is not standards-based.
--
Can a statement be self-referential without knowing it?
 
Reply With Quote
 
Eric Sorenson
Guest
Posts: n/a
 
      02-08-2004
> No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
> over UDP as configured in the VPN Concentrator on the group "client
> config" menu. 10000 is a user configurable port - I'm using the
> default entry.


This is based on an early (expired) draft before the port-float to 4500
was included in the design. Concentrator/client versions above 3.6 support
the current draft, with backwards compatibility for the udp/500+udp/10000
traffic. The new version works a lot better because the IKE keepalives are
now sent over the same socket pair as the data connection so they actually,
you know, keep your connection alive.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: VPN Client to PIX1 from home OK - VPN Client to PIX1 Fails from behind PIX2 firewall D K Cisco 4 12-04-2006 02:00 PM
PIX 501 VPN client to VPN client connections Nick Cisco 2 12-14-2005 04:33 PM
udp (0) -> udp (0) traffic ? Tom Cisco 2 03-04-2004 06:06 PM
Cisco VPN Client vs MS VPN Client jarcar Cisco 0 02-12-2004 12:22 PM
Help with Cisco VPN client 4.0.1 (and 4.0.3) - The VPN client could not find the adapters GUID MP Cisco 2 12-30-2003 03:55 PM



Advertisments