[VPN] IPSEC over UDP or TCP

shannong shannong at texas.net
Wed Oct 15 09:24:30 EDT 2003


The idea of tunnel encapsultation is generic.  The use of NAT-T,
speficicall, is not.  It is defined in an IETF draft as noted below and
defines UDP port 4500.  Most vendors products I have seen follow the NAT-T
standard and only provide for the client to select UDP encapsulation and not
the port as the port is defined in the standard.  

TCP is not in the same boat, however, and enjoys the luxury of allowing the
port to be defined in the VPN client. 

The benefits I refer to really have nothing to do with NAT.  My point was
that creating IPSec tunnels that are encapsulated in TCP and with multiple
ports available provides a high degree of success in creating outbound IPSec
connections from networks that are filtered and/or authenticated, as is the
case in most business environments and even some ISPs.  Also, a lot of low
end firewalls don't handle UDP "connections" so well, and TCP encapsulated
traffic enjoys a higher degree of success here also.  Unfortunately, many
vendors VPN solutions don't provide for TCP encapsulation as they only
implement the NAT-T standard using UDP/4500.

Of course, if ISPs are really filtering ESP to prevent IPSec traffic then
it's only a matter of time before they filter traffic with
source/destination ports UDP4500 as well.

More info on the IETF draft for this can be found using the following
headers to that standard.

IP Security Protocol Working Group (IPSEC)                    T. Kivinen
INTERNET-DRAFT                               SSH Communications Security
draft-ietf-ipsec-nat-t-ike-07.txt                             B. Swander
Expires: 29 March 2004                                         Microsoft
                                                             A. Huttunen
                                                    F-Secure Corporation
                                                                V. Volpe
                                                           Cisco Systems
                                                             29 Sep 2003
-----Original Message-----
From: vpn-bounces+shannong=texas.net at lists.shmoo.com
[mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of
Jean-Francois Dive
Sent: Wednesday, October 15, 2003 1:50 AM
To: shannong
Cc: VPN at lists.shmoo.com
Subject: RE: [VPN] IPSEC over UDP or TCP

What you define here is a generic tunnel encapsulation which exist in
multiple forms. As far as IPSec is concerned, it should not be affected by
such environment. NAT-T is designed to cope with nat, punt. If you want to
cross a restrictive network, ISP, firewall, then you should use
whatever_you_name_it tunnel technology to carry ipsec traffic.

On Sat, 2003-10-11 at 18:05, shannong wrote:
>  -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Note: NAT-T is a standard and specifies only UDP over port 4500. 
> Some vendors provide a proprietary method (namely Cisco) for UDP 
> encapsulation over other defined ports and even with TCP.  Most 
> vendors' VPN clients do not allow the user to define the UDP port for 
> the connection as the standard says to use 4500.  However, some 
> vendors' VPN clients do allow the configuration of the TCP port.
> Additionally, some vendors' VPN terminators (read Cisco)can be 
> configured to listen on multiple TCP ports simultaneously.
> 
> Therefore, another functional advantage of using TCP encapsulation 
> instead of NAT-T (read UDP)is that the port for the IPSec connection 
> can be defined by the client provided the VPN terminating device has 
> been configured to listen on that TCP port.  I find this very useful 
> as I initiate VPN connections from varied and different networks as 
> part of my consulting work.  Many networks block all traffic except 
> for "normal" business needs.  Some networks allow only 80/443.  Some 
> networks allow 3389 for RDP, and others do not.  Therefore, I have a 
> lot more success with VPN tunnels by providing myself with 5 choices 
> of TCP ports.  I find that networks that are locked down and providing 
> HTTP access through proxies still frequently allow 443 out without 
> authentication or filtering due to the obvious added complexity of 
> handshaking the SSL connection on both sides to look at the traffic 
> and authenticate it.  Therefore, TCP/443 has shown to be the most 
> successful for me.
> 
> I have also found that unrealiable connections like cable modems that 
> experience high packet loss cause my TCP-IPSec connections to provide 
> lower overall peformance due to the obvious problems of two entities 
> attempting reliable retransmission of lost data and invoking the TCP 
> slow-down algorithm.  This is a casual observance rather than 
> scientific measurement for which I have no corresponding data.
> 
> 
> 
> - -----Original Message-----
> From: vpn-bounces+shannong=texas.net at lists.shmoo.com
> [mailto:vpn-bounces+shannong=texas.net at lists.shmoo.com] On Behalf Of 
> Siddhartha Jain
> Sent: Friday, October 10, 2003 12:54 PM
> To: VPN at lists.shmoo.com
> Subject: RE: [VPN] IPSEC over UDP or TCP
> 
> 
> Thats interesting. I assumed a higher overhead for obvious reasons. 
> Can you point to any studies or white papers proving that NAT-T 
> doesn't affect performance??
> 
> Thanks,
> 
> Siddhartha
> 
> 
> 
>  --- Bill Yazji <byazji at psualum.com> wrote: > Quantify your "con" - 
> significant testing has shown
> > this really isn't the
> > case....
> > 
> > ~B
> > 
> > -----Original Message-----
> > From: vpn-bounces+byazji=psualum.com at lists.shmoo.com
> >
> [mailto:vpn-bounces+byazji=psualum.com at lists.shmoo.com]On
> > Behalf Of
> > Siddhartha Jain
> > Sent: Tuesday, October 07, 2003 11:45 AM
> > To: VPN at lists.shmoo.com
> > Subject: Re: [VPN] IPSEC over UDP or TCP
> > 
> > 
> > Advantages: Beats ISP blocking of IPSec traffic and overcomes NAT 
> > difficulties.
> > 
> > Cons: Decreases throughput because you have higher overheads. 
> > Original packet inside IPSec inside TCP/UDP packet.
> > 
> > 
> > 
> >  --- "Shivdasani, Meenoo" <Meenoo.Shivdasani at venterscience.org>
> > wrote:  
> > > I'm interested in people's experiences with
> > > > > implementing IPSEC over UDP
> > > or TCP.
> > >
> > > Benefits?  Disadvantages?
> > >
> > > Thanks in advance,
> > >
> > > M
> > > _______________________________________________
> > > VPN mailing list
> > > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
> > 
> >
> ______________________________________________________________________
> __
> > Want to chat instantly with your online friends?
> > Get the FREE Yahoo!
> > Messenger http://mail.messenger.yahoo.co.uk 
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> > 
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
> 
> ______________________________________________________________________
> __
> Want to chat instantly with your online friends?  Get the FREE Yahoo!
> Messenger http://mail.messenger.yahoo.co.uk 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
> 
> iQA/AwUBP4gqRuzo5pjD9SKfEQJXCgCfVYLpdFLgfZaNn1crOiM6R+NzoOgAoJB1
> 2NZTZ9y5qodIVQnJfZPeUgPH
> =chEs
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
-- 

-> Jean-Francois Dive
--> jef at linuxbe.org

I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn






More information about the VPN mailing list