Transparent Tunnelling IPSec Client VPN

Just watching Brians IOS Easy VPN Server video & something's confused me. He talks about transparent tunneling, and specifically says this one line that confused me.

"When transparent tunneling is inactive, this means that we are gonna be sending the traffic natively over esp, it's not encap'd in udp or tcp"

 

So what, there is no layer 4 header at all? I know ISAKMP uses UDP port 500, so I can't get my head around him saying there is no encapsulation in UDP or TCP. I just can't put 2 and 2 together, can someone explain?  

 

Also what is the default, inactive or active?

Comments

  • Hi sg4rb0,

    nice name btw...

    VPN will use UDP 500 for phase 1 and ESP for fase two. ESP does not have ports therefore does not play around with NAT. That is why VPN devices have NAT-T they will identify that you are behind a NAT and use UDP 4500 for Phase 2.

    OK with that in mind let's say that you have a old firewall that does not do application inspection. On the VPN negotiation you are going to start receiving traffic on port UDP 4500 all of the sudden. The firewall will drop this UDP 4500 if it does not have an ACL for it. 

    Now is the real transparent tunnel happens:
    Lets say that we know that the firewall on the middle is causing us a problem, the solution is to use the transparent tunnel. Most of these firewalls will open ports for you in a tcp inspection way. Lets say you leave on port 23 (telnet) it will open back for you on port 23.

    We can configure the headend to use a TCP port to tunnel the VPN. The defaut one is 10000
    ASA:
    crypto ikev1 ipsec-over-tcp port xxx
    IOS
    crypto ctcp port xxxx

    PS. the NAT-T is enable by default and the TCP one is not enabled.

    I hope that helps.

    ref for you:
    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-3s/asr1000/sec-ipsec-data-plane-xe-3s-asr1000-book/sec-ipsec-nat-transp.html#GUID-1F31C16C-10CA-4C57-8379-C5833E904369

Sign In or Register to comment.