that what I searching for , so at the end in get vpn we ca't use nat between the GM's From: [email protected] Date: Mon, 26 Dec 2011 12:59:26 +0100 To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and NAT
Diego, All, There are two scenarios you must consider: (1) GDOI Registration - when GM registers itself to KS, it uses ISAKMP protocol with standard UDP/500. When there is a NAT between GM and KS (most likely KS is behind a firewall which statically translated KS' IP address), the NAT-T works as always, changes UDP/500 to UDP/4500. (2) GM-to-GM traffic - which uses ESP (IP Prot 50). If there is NAT between GM devices, the NAT device in between cannot handle that. In this case NAT is not supported. There is NO NAT-T used in this case!!! Hope this clears the confusion. Regards, Piotr 2011/12/26 Diego Cambronero <[email protected]> Guys I am a little bit confused ESP is IP protocol 50 but it us encapsulated in port udp 4500 when there is a nat between the peers rigth? If there is a GM behind a nat device it uses udp 500 to start isakmp and then udp 4500 To encapsulate the trafic right? How is the comuniation between a device that is behind a nat and another that is not behind a nat? 4500--->5004500--->4500 Or what?? El 25/12/2011, a las 07:40 p.m., Fawad Khan <[email protected]> escribió: ESP is a layer protocol itself with number 50 Nat-t is layer 4 UDp port number 4500 On Sunday, December 25, 2011, Piotr Matusiak <[email protected]> wrote: > NAT-T uses UDP/4500 always. > > 2011/12/25 HA Ali <[email protected]> >> >> I have seen in cisco offical docs that GDOI works on 848 UDP and if NAT-T is >> enabled it works on 4500 UDP . But in simple vpn setup ( not getvpn ) we use >> 4500 for ESP . >> >> >> If GETVPN uses ESP and GDOI how will it work in a NAT-T case ? will both of >> them use UDP 4500 >> >> ________________________________ >> From: [email protected] >> Date: Sun, 25 Dec 2011 16:42:43 +0100 >> To: [email protected] >> CC: [email protected] >> Subject: Re: [OSL | CCIE_Security] GETVPN and NAT >> >> NAT-T is supported between GM and KS. NAT is not supported between GMs. The >> only option is to NAT before encryption. >> >> Regards, >> Piotr >> >> >> 2011/12/25 waleed ' <[email protected]> >> >> Dear all , in getvpn there is not nat-t becuase there is no isakmp between >> the peers , so how get vpn work if there is nat between tow peers ? >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> _______________________________________________ For more information >> regarding industry leading CCIE Lab training, please visit www.ipexpert.com >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > -- FNK _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
