Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.
The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active.
Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with your device's vendor to verify whether this limitation exists. Some vendors support Protocol-50 (ESP) Port Address Translation (IPSec passthrough), which might let you operate without enabling transparent tunneling.
To use transparent tunneling, the central-site group in the Cisco VPN device must be configured to support it. For an example, refer to the VPN 3000 Concentrator Manager, Configuration | User Management | Groups | IPSec tab (refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration or Help in the VPN 3000 Concentrator Manager browser).
This parameter is enabled by default. To disable this parameter, uncheck the check box. We recommend that you always keep this parameter checked.
Then choose a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with stateful firewalls, so in this case, you should use TCP.
To enable IPSec over UDP (NAT/PAT), click the radio button. With UDP, the port number is negotiated. UDP is the default mode.
To enable IPSec over TCP, click the radio button. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.
Copyright © 1998-2004, Cisco Systems, Inc. All rights reserved.