VPN concentrator/Cisco VPN client and UDP

Discussion in 'Cisco' started by mikester, Feb 6, 2004.

  1. mikester

    mikester Guest

    We have a Cisco VPN concentrator that we use to connect to our
    network. The location of our concentrator dictates that we must use
    UDP to creat our ipsec tunnel (firewall in the path).

    This means we aren't using AH and ESP is configured to be the method
    of encryption. My question is that in the UDP only configuration what
    is the anti replay safety measure used and is this implementation
    based on an RFC or is it simply Cisco's way around VPN through PAT?

    Thanks,

    The mikester
     
    mikester, Feb 6, 2004
    #1
    1. Advertising

  2. In article <>,
    mikester <> wrote:
    :We have a Cisco VPN concentrator that we use to connect to our
    :network. The location of our concentrator dictates that we must use
    :UDP to creat our ipsec tunnel (firewall in the path).

    :This means we aren't using AH and ESP is configured to be the method
    :eek:f encryption. My question is that in the UDP only configuration what
    :is the anti replay safety measure used and is this implementation
    :based on an RFC or is it simply Cisco's way around VPN through PAT?

    Are you using NAT-T (NAT Traversal)? UDP 4500? If you are,
    then you can enable AH if you want: AH will be encapsulated as well.

    Cisco's NAT-T is based upon an IETF draft standard,
    http://www.ietf.org/html.charters/ipsec-charter.html
    --
    Warning: potentially contains traces of nuts.
     
    Walter Roberson, Feb 6, 2004
    #2
    1. Advertising

  3. mikester

    mikester Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<c00jma$52$>...
    > In article <>,
    > mikester <> wrote:
    > :We have a Cisco VPN concentrator that we use to connect to our
    > :network. The location of our concentrator dictates that we must use
    > :UDP to creat our ipsec tunnel (firewall in the path).
    >
    > :This means we aren't using AH and ESP is configured to be the method
    > :eek:f encryption. My question is that in the UDP only configuration what
    > :is the anti replay safety measure used and is this implementation
    > :based on an RFC or is it simply Cisco's way around VPN through PAT?
    >
    > Are you using NAT-T (NAT Traversal)? UDP 4500? If you are,
    > then you can enable AH if you want: AH will be encapsulated as well.
    >
    > Cisco's NAT-T is based upon an IETF draft standard,
    > http://www.ietf.org/html.charters/ipsec-charter.html


    Walter,

    No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
    over UDP as configured in the VPN Concentrator on the group "client
    config" menu. 10000 is a user configurable port - I'm using the
    default entry.

    This is the description:

    Check to allow a client to operate through a NAT device using UDP
    encapsulation of ESP.

    It seems to be working as desired but I need to find some
    documentation to support it.

    I'm looking in the CCSP documentation and of course Cisco's website
    now. Any leads though are appreaciated.

    -Mike
     
    mikester, Feb 6, 2004
    #3
  4. In article <>,
    mikester <> wrote:
    :No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
    :eek:ver UDP as configured in the VPN Concentrator on the group "client
    :config" menu. 10000 is a user configurable port - I'm using the
    :default entry.

    :This is the description:

    :Check to allow a client to operate through a NAT device using UDP
    :encapsulation of ESP.

    :It seems to be working as desired but I need to find some
    :documentation to support it.

    It uses regular IPSec protection methods.

    http://www.cisco.com/warp/public/471/nat_trans.pdf

    The UDP encapsulation that you are using is, though, a Cisco extension.
    UDP 4500 is the port that would be used if you were using the
    IETF draft standard to negotiate NAT-T. (NAT-T has additional
    features to negotiate AH and detect the place(s) at which NAT
    is taking place.)

    You can deduce the above from
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/lin_sol/install.htm


    If you are running a Linux firewall (for example, ipchains or
    iptables), be sure that the following types of traffic are allowed
    to pass through:

    UDP port 500
    UDP port 10000 (or any other port number being used for IPSec/UDP)
    IP protocol 50 (ESP)
    TCP port configured for IPSec/TCP
    NAT-T (Standards-Based NAT Transparency) port 4500

    and by omission, one can see that UDP 10000 is not standards-based.
    --
    Can a statement be self-referential without knowing it?
     
    Walter Roberson, Feb 6, 2004
    #4
  5. > No, it isn't NAT-T. I am using ISKMP (UDP 500) and UDP 10000 for IPSEC
    > over UDP as configured in the VPN Concentrator on the group "client
    > config" menu. 10000 is a user configurable port - I'm using the
    > default entry.


    This is based on an early (expired) draft before the port-float to 4500
    was included in the design. Concentrator/client versions above 3.6 support
    the current draft, with backwards compatibility for the udp/500+udp/10000
    traffic. The new version works a lot better because the IKE keepalives are
    now sent over the same socket pair as the data connection so they actually,
    you know, keep your connection alive.

    --
    Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation
     
    Eric Sorenson, Feb 8, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Replies:
    2
    Views:
    5,225
  2. Replies:
    4
    Views:
    2,040
    Scott Lowe
    Jun 26, 2005
  3. TechGuy
    Replies:
    3
    Views:
    5,961
    GizmoTech
    Feb 5, 2009
  4. Goggen
    Replies:
    1
    Views:
    1,051
    Uli Link
    Jan 26, 2006
  5. Eitan
    Replies:
    0
    Views:
    511
    Eitan
    Mar 5, 2006
Loading...

Share This Page