Using Cisco Tunnel Control Protocol – IPSec VPNs

A relatively new feature on the Cisco Router IOS® (introduced in version 12.4(9)T) finally supports NAT transparency with IPSec VPNs using Tunnel Control Protocol (TCP). This option has long been available on the VPN concentrator platform and was first implemented on the ASA and PIX platforms in operating system version 7.0. This post highlights the implementation’s main features on the router. Cisco VPN Client users (which uses IPSec, as opposed to AnyConnect® which uses SSL) often find themselves “connected” through the VPN via a wired or wireless network, which is behind a device doing Port Address Translation (PAT). Since the Encapsulating Security Protocol (IP Protocol 50) is not compatible with PAT, no IPSec traffic flows despite a seemingly successful connection. This problem is not new; it was noted almost a decade ago and initially solved by introducing two proprietary options:

  1. a group-based UDP encapsulation mechanism and
  2. a global or “system-wide” TCP encapsulation technique each defaulting to using port 10000.

The first option was largely replaced by the IETF NAT-Traversal technique which “auto discovers” translating devices and inserts an extra UDP header using port 4500. The TCP option is a viable choice for networks with strict security policies disallowing outbound user UDP packets. In such a scenario you configure your VPN client to look like the following: As shown in the above screenshot, the IPSec over TCP radio button is selected by default and is used for UDP; as noted, the 10000 TCP port is configurable. As the Deployment Guide mentions, the VPN server can be configured to listen to up to ten TCP ports for this tunneling option. On the IOS router acting as the VPN server, the configuration syntax that supports this option is:

Router(config)# crypto ctcp [keepalive #-seconds] {port port-#]

By default the keepalive interval is 5 seconds, and the port number is 10000. In addition to this configuration syntax, the IOS supports the following troubleshooting command:

Router# debug crypto ctcp

The resulting output displays the initiation of the TCP 3-way handshake to set up the connection as well as the overall TCP encapsulation success.

In this article

Join the Conversation