Diego, All, There are two scenarios you must consider:
(1) GDOI Registration - when GM registers itself to KS, it uses ISAKMP protocol with standard UDP/500. When there is a NAT between GM and KS (most likely KS is behind a firewall which statically translated KS' IP address), the NAT-T works as always, changes UDP/500 to UDP/4500. (2) GM-to-GM traffic - which uses ESP (IP Prot 50). If there is NAT between GM devices, the NAT device in between cannot handle that. In this case NAT is not supported. There is NO NAT-T used in this case!!! Hope this clears the confusion. Regards, Piotr 2011/12/26 Diego Cambronero <[email protected]> > Guys I am a little bit confused ESP is IP protocol 50 but it us > encapsulated in port udp 4500 when there is a nat between the peers rigth? > > If there is a GM behind a nat device it uses udp 500 to start isakmp and > then udp 4500 To encapsulate the trafic right? > > > How is the comuniation between a device that is behind a nat and another > that is not behind a nat? > > 4500--->500 > 4500--->4500 > > Or what?? > > > El 25/12/2011, a las 07:40 p.m., Fawad Khan <[email protected]> escribió: > > ESP is a layer protocol itself with number 50 > > > > Nat-t is layer 4 UDp port number 4500 > > > On Sunday, December 25, 2011, Piotr Matusiak < <[email protected]> > [email protected]> wrote: > > NAT-T uses UDP/4500 always. > > > > 2011/12/25 HA Ali < <[email protected]>[email protected]> > >> > >> I have seen in cisco offical docs that GDOI works on 848 UDP and if > NAT-T is enabled it works on 4500 UDP . But in simple vpn setup ( not > getvpn ) we use 4500 for ESP . > >> > >> > >> If GETVPN uses ESP and GDOI how will it work in a NAT-T case ? will > both of them use UDP 4500 > >> > >> ________________________________ > >> From: <[email protected]>[email protected] > >> Date: Sun, 25 Dec 2011 16:42:43 +0100 > >> To: <[email protected]>[email protected] > >> CC: <[email protected]> > [email protected] > >> Subject: Re: [OSL | CCIE_Security] GETVPN and NAT > >> > >> NAT-T is supported between GM and KS. NAT is not supported between GMs. > The only option is to NAT before encryption. > >> > >> Regards, > >> Piotr > >> > >> > >> 2011/12/25 waleed ' < <[email protected]>[email protected]> > >> > >> Dear all , in getvpn there is not nat-t becuase there is no isakmp > between the peers , so how get vpn work if there is nat between tow peers ? > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please visit <http://www.ipexpert.com>www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > <http://www.PlatinumPlacement.com>www.PlatinumPlacement.com > >> > >> > >> _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > <http://www.ipexpert.com>www.ipexpert.com Are you a CCNP or CCIE and > looking for a job? Check out <http://www.PlatinumPlacement.com> > www.PlatinumPlacement.com > > > > -- > FNK > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit <http://www.ipexpert.com>www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > <http://www.PlatinumPlacement.com>www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
