A user has called the helpdesk for a VPN-related issue. While at a coffee shop, the user attempted to connect to the VPN using the IPsec client and failed. In other locations, the user can successfully connect. Which of the following settings would more than likely allow the user to access the VPN while at this coffee shop?
- Enable IPsec over TCP
- Disable group authentication
- Enable DTLS
- Change the port number that the IPsec tunnel listens on at the head end ASA
The correct answer is 1.
In many environments, Port Address Translation (PAT) is used to connect users to the internet. IPSec and PAT are not compatible without using either NAT-T (NAT Traversal) on UDP port 4500, or the Cisco proprietary solution of IPSec over TCP (usually to port 10,000).