Enabling ipsec over nat-t – Cisco ASA 5505 User Manual

Page 1366

Advertising
background image

64-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring ISAKMP

The ASA uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN
IKEv1 connections in main mode that authenticate with preshared keys.

The default setting is auto.

To change the peer identification method, enter the following command:

crypto isakmp identity

{address | hostname | key-id id-string | auto}

For example, the following command sets the peer identification method to hostname:

hostname(config)# crypto isakmp identity hostname

Enabling IPsec over NAT-T

NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec
traffic in UDP datagrams, using port 4500, which provides NAT devices with port information. NAT-T
auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is
disabled by default.

Note

Due to a limitation of the AnyConnect client, you must enable NAT-T for the AnyConnect client to
successfully connect using IKEv2. This requirement applies even if the client is not behind a NAT-T
device.

With the exception of the home zone on the Cisco ASA 5505, the ASA can simultaneously support
standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP, depending on the client with which it is
exchanging data.

The following breakdown shows the connections with each option enabled:

Note

When IPsec over TCP is enabled, it takes precedence over all other connection methods.

Address

Uses the IP addresses of the hosts exchanging ISAKMP identity information.

Automatic

Determines ISAKMP negotiation by connection type:

IP address for preshared key.

Cert Distinguished Name for certificate authentication.

Hostname

Uses the fully qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.

Key ID

Uses the string the remote peer uses to look up the preshared key.

Options

Enabled Feature

Client Position

Feature Used

Option 1

If NAT-T is enabled

and client is behind NAT, then NAT-T is used

and no NAT exists, then

Native IPsec (ESP) is used

Option 2

If IPsec over UDP is enabled

and client is behind NAT, then IPsec over UDP is used

and no NAT exists, then

IPsec over UDP is used

Option 3

If both NAT-T and

IPsec over UDP are enabled

and client is behind NAT, then NAT-T is used

and no NAT exists, then

IPsec over UDP is used

Advertising