IPSEC over TCP
Hello Community, a partner of mine ask for the possibilty to use the IPSec protocol over TCP instead of UDP. I've done some online research and found on the Cisco forum several scenario where this is useful:
1. UDP port 500 is blocked, resulting in incomplete IKE negotiations
2. ESP is not allowed to pass and as a result encrypted traffic does not traverse.
3. Network administrator prefers to use a connection-oriented protocol.
4. IPSec over TCP might be necesary when the intermediary NAT or PAT device is stateful firewall.
Is there any clue about the future support for this option also on SonicWall firewall?
Thanks for you help.
Answers
@Enzino78 to be honest I never saw an implementation of IPsec over TCP on the systems I managed and I would assume that the performance impact is pretty big.
About the future support on SNWL, my guess is never. They don’t even implement Wireguard for clients so why waste the rare developer resources to somethat that exotic as IPsec over TCP.
—Michael@BWC
thanks Michael for your point.
There are at least one I know of non standard implementations / extensions of IPSEC over TCP -
Barracuda have TINA tunnels - which does have some advantages
TINA VPN Tunnels | Barracuda Campus
IPsec NAT Traversal should take care of ISAKMP UDP 500 being blocked.
SW GEN 7 Network/IPSEC VPN/ Advanced - which I believe is default
Support is also required on the remote endpoint.
If this is Azure behind an AZ gateway or other PAT device its mandatory, I've spent too many hours figuring out why VPN's wont establish only to find "specialists" haven't enabled this option in their cloud services.