VPN Ports using TCP

Discussion in 'Cisco' started by David, Nov 7, 2003.

  1. David

    David Guest

    I am about to install a 3000 series concentrator and move the VPN groups
    that are currently on our PIX to the new box. I have had to have the
    network group at one of our larger clients open up the required set of ports
    which we use with our current implementation. They have stated, with backup
    from their Cisco rep, that this should not be required if we were on the
    latest revision of the VPN. I assume from this that I will be able to set
    this up so that the client can use the "Use IPSec over TCP" option. Where
    can I find exactly what ports need to be available for this new version to
    work? What we currently need is listed below:

    IP Protocol ID 50 - Encapsulating Security Protocol (ESP)
    IP Protocol ID 51 - Authentication Header (AH)
    UDP Port 500 - ISAKMP

    I note that none of the messages that I have viewed on this site seem to
    indicate that the newer connection method is the magic bullet that my
    customer seems to be convinced that it is.
     
    David, Nov 7, 2003
    #1
    1. Advertisements

  2. :I am about to install a 3000 series concentrator and move the VPN groups
    :that are currently on our PIX to the new box. I have had to have the
    :network group at one of our larger clients open up the required set of ports
    :which we use with our current implementation. They have stated, with backup
    :from their Cisco rep, that this should not be required if we were on the
    :latest revision of the VPN. I assume from this that I will be able to set
    :this up so that the client can use the "Use IPSec over TCP" option.

    I haven't used the VPN concentrator, and it doesn't get discussed
    as frequently here, so I can't answer about the IPSec over TCP
    possibility.

    : Where
    :can I find exactly what ports need to be available for this new version to
    :work? What we currently need is listed below:

    :IP Protocol ID 50 - Encapsulating Security Protocol (ESP)
    :IP Protocol ID 51 - Authentication Header (AH)
    :UDP Port 500 - ISAKMP

    Try adding UDP 4500. The new NAT-T (Transparent NAT) facility
    needs UDP 4500 as soon as it detects that both ends support it
    (part of the initial IKE frame.)
     
    Walter Roberson, Nov 7, 2003
    #2
    1. Advertisements

  3. David

    David Guest

    I may have hit "reply" as opposed to "Reply to group" when I sent this the
    first time...

    I spend an hour looking for this last night with no success, about 2 minutes
    this morning and nailed it. This is from the Series 3000 Release notes,
    under "New Features in Release 3.5"

    IPSec over TCP
    IPSec over TCP encapsulates encrypted data traffic within TCP packets. This
    feature enables the VPN 3000 Concentrator to operate in an environment in
    which standard Encapsulating Security Protocol (ESP, Protocol 50) or
    Internet Key Exchange (IKE, UDP 500) cannot function, or can function only
    with modification to existing firewall rules. IPSec over TCP encapsulates
    both the IKE and IPSec protocols within a TCP packet, and enables secure
    tunneling through both NAT and PAT devices and firewalls. This feature does
    not work with proxy-based firewalls.

    To use IPSec over TCP, the VPN 3002, the VPN Client, and the Concentrator to
    which it connects must be running version 3.5 software. The VPN 3002
    Hardware Client and the VPN Client, which support one session at a time, can
    connect using standard IPSec, IPSec over TCP, or IPSec over UDP.
     
    David, Nov 7, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.