Guest

Cisco Configuration Professional

IOS Easy VPN: IPsec over TCP Support on any Port with Cisco Configuration Professional Configuration Example

Hierarchical Navigation

Document ID: 112087

Updated: Aug 05, 2010

   Download PDF
   Print

Introduction

This document describes how to configure an Easy VPN (EzVPN) server and client to support Cisco Tunneling Control Protocol (cTCP). This sample configuration demonstrates a configuration for IPsec over TCP on any port. This feature is introduced in Cisco IOS® Software Release 12.4(9)T and is now supported in Cisco IOS Software Releases 12.4(20)T and later.

Cisco Tunneling Control Protocol enables VPN clients to operate in environments where standard ESP protocol (port 50) or IKE protocol (UDP port 500) are not permitted. For a variety of reasons, firewalls can not permit ESP or IKE traffic, which blocks VPN communication. cTCP solves this problem, because it encapsulates ESP and IKE traffic in the TCP header so that firewalls do not see it.

Prerequisites

Requirements

Ensure that your Easy VPN(EzVPN) server is configured for client connections. Refer to Cisco IOS Router as Easy VPN Server Using Cisco Configuration Professional Configuration Example for information on how to configure a Cisco IOS Router as an Easy VPN server .

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 1841 Router with Cisco IOS Software Release 12.4(20)T

  • Cisco CP Version 2.1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Cisco IOS Router as Easy VPN Server

Complete these steps in order to configure Cisco IOS Router (Easy VPN Server) to support cTCP on port 10000 :

  1. Choose Configure > Security > VPN > Easy VPN Server, and click Global Settings in order to edit the Global Settings.

    ios-ipsec-tcp-anyport-01.gif

  2. Check the Enable cTCP checkbox in order to enable cTCP.

    Note: The port number 10000 is used by default. If required, the port number can be changed.

    /image/gif/paws/112087/ios-ipsec-tcp-anyport-02.gif

Cisco IOS Router as Easy VPN Client

Complete these steps:

  1. Choose Configure > Security > VPN > Easy VPN Remote, and click Edit in order to edit the client settings for cTCP configuration.

    ios-ipsec-tcp-anyport-03.gif

  2. Click the Firewall Bypass tab and under the Automatic Firewall Bypass section and specify the Port Number and Keepalive time in seconds. Ensure that the checkbox next to Enable Easy VPN access through firewall is checked.

    Note: The port number 10000 is used by default. If required the port number can be changed. Check with the remote administrator in order to verify which port number is used on the Easy VPN server since the server and client must use the same port number.

    /image/gif/paws/112087/ios-ipsec-tcp-anyport-04.gif

  3. Click OK in order to complete the configuration.

Troubleshoot

There is no troubleshooting information available for this configuration.

Related Information

Updated: Aug 05, 2010
Document ID: 112087