cisco vpn because of ipsec over tcp

Mon Nov 14 19:48:20 UTC 2011

Hi,

Fedora ships the open source "vpnc" client which supports the Cisco VPN
environment. I'm using it daily and it works for me without any problems.

There is also a proprietary client from Cisco:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html .

On 11/14/2011 06:34 PM, Tomasz Torcz wrote:
> On Mon, Nov 14, 2011 at 09:08:05PM +0400, Lucas wrote:
>> I am talking about ipsec over TCP.

>> Everything can do ipsec over UDP, but none over TCP. But on my job for the security reason UDP is 
>> blocked, cisco vpn can do ipsec over tcp.
> 
>   It seems you have your layering wrong. IPSec operates on IP protocol, below UDP and TCP.  Only
> IKE, the key exchange, protocol works on UDP. Maybe you thought about different technology?  
> For VPN, OpenVPN provided in Fedora support TCP transport.

To clarify the misunderstanding: Cisco's VPN concentrator provides the
feature "IPSec over TCP".

Unfortunately, vpnc does not support it:

man 8 vpnc:
[...]
 --natt-mode <natt/none/force-natt/cisco-udp>
        Which NAT-Traversal Method to use:
        ·      natt -- NAT-T as defined in RFC3947
        ·      none -- disable use of any NAT-T method
        ·      force-natt -- always use NAT-T encapsulation even without
               presence  of  a NAT device (useful if the OS captures all
               ESP traffic)
        ·      cisco-udp -- Cisco proprietary  UDP  encapsulation,  com‐
               monly over Port 10000
        Note: cisco-tcp encapsulation is not yet supported
        Default: natt
 conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
[...]

So it looks like that for your use case (connecting to a Cisco VPN using
IPSec over TCP) you have to use Cisco's proprietary client.

Best regards,
Christian