UDP 4848 was supposed to be used instead of 4500 for NAT-T implementation of GDOI. Cisco did not follow this and chose to go back to 4500 either because of technical reasons or chosen method. Not sure for all the internal reasons but GetVPN is not an industry implementation of GDOI. Cisco developed their own implementation of the GDOI protocol. Juniper is using the industry standard Group VPN. There are some compatibility differences that need to be taken care of.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tolulope Ogunsina Sent: Thursday, June 03, 2010 8:10 AM To: Kingsley Charles Cc: OSL Security Subject: Re: [OSL | CCIE_Security] [CCIE Security Study Group] New message: "VPN with NAT-T" Hi, I remember reading a post about the guy that wrote the RFC saying that udp 4848 was proposed but not finally implemented. I can't remember where I got that info from though :( On 6/3/10, Kingsley Charles <[email protected]> wrote: > Hi TacACK > > You need to do a static NAT for the KS address. The GM register should > register to the NATed address of KS. > > Just now I did the lab and GDOI uses 4500. Till MM4, that first four > messages of Main mode uses 848 and then it moves to 4500 from MM5. > > > > > With regards > Kings > > On Thu, Jun 3, 2010 at 4:31 PM, Vybhav Ramachandran > <[email protected]>wrote: > >> Hello Kings, >> >> If i have an ASA between the KS and the GM , and the KS is on the inside >> interface , what kinda nat do i have to enable on the ASA to trigger NAT-T >> ? >> >> Cheers, >> TacACK >> > -- Best Regards, Tolulope. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2914 - Release Date: 06/02/10 14:25:00 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
