In most situations, there is a PAT device between the VPN client and the head end VPN device. PAT works by differentiating users by the UDP or TCP port used. Since IPSec uses IP protocol 50, it is impossible for more than one user to connect to the VPN device, through the PAT. This is because the IP protocol operates at layer 3 of the OSI reference model and PAT functionality exists at layer 4. For this reason, there are three different methods of tunneling IPSec traffic. It is important to understand the ports used for the different methods to ensure that those ports are not blocked.
- NAT Traversal – This method still uses 500/udp for IKE negotiation, but then tunnels IPSec data traffic within 4500/udp packets. This is the default method for UDP tunneling with the Cisco VPN client
- IPSec over UDP – This method still uses 500/udp for IKE negotiation, but then tunnels IPSec data traffic within a pre-defined UDP port. The default port for this traffic is 10000/udp.
- IPSec over TCP – This method tunnels both the IKE negotiation and IPSec data traffic within a pre-defined TCP port. The default port for this traffic is 10000/tcp. This is the only method that tunnels both IKE and IPSec within the same stream.
Posted by Rob Chee