Cisco Systems ASA5515K9, ASA 5500 Enabling IPsec with IKEv1 over TCP

64-15

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter64 Configuring IPsec and ISAKMP

Configuring ISAKMP

When you enable NAT-T, the ASA automatically opens port 4500 on all IPsec-enabled interfaces.

The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the

following networks, but not both:

•LAN-to-LAN

•Remote access

In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be

coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in

a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is,

the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a

mixed LAN-to-LAN and remote access network of peers behind the NAT device.

To use NAT-T, you must perform the following tasks:

Step1 Enter the following command to enable IPsec over NAT-T globally on the ASA:

crypto isakmp nat-traversal natkeepalive

The range for the natkeepalive argument is 10 to 3600 seconds. The default is 20 seconds.

For example, enter the following command to enable NAT-T and set the keepalive value to one hour.

hostname(config)# crypto isakmp nat-traversal 3600

Step2 Select the before-encryption option for the IPsec fragmentation policy by entering this command:

hostname(config)# crypto ipsec fragmentation before-encryption

This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede

the operation of NAT devices that do support IP fragmentation.

Enabling IPsec with IKEv1 over TCP

IPsec/IKEv1 over TCP enables a Cisco VPN client to operate in an environment in which standard ESP

or IKEv1 cannot function or can function only with modification to existing firewall rules. IPsec over

TCP encapsulates both the IKEv1 and IPsec protocols within a TCP-like packet and enables secure

tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.

Note This feature does not work with proxy-based firewalls.

IPsec over TCP works with remote access clients. You enable it globally, and it works on all

IKEv1-enabled interfaces. It is a client to the ASA feature only. It does not work for LAN-to-LAN

connections.

The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over

UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes

precedence over all other connection methods.