EX SSL-VPN: What are the advantages of enabling ESP in Tunnel mode?
Resolution
Question:
What are the advantages/features on enabling ESP in Tunnel mode?
Features and Functionality for ESP Based Tunnel:
ESP (Encapsulating Security Payload) is a way to encapsulate and decapsulate packets inside of a UDP wrapper (port 4500) for traversing NATs. Using it can improve the performance of UDP-streaming applications like VoIP. For more information on ESP, see RFCs 2406 and 3948 .
ESP encapsulation is the default setting for newly defined communities.
UDP port 4500 must be open in network firewalls for traffic to and from the appliance.
ESP uses AES128/MD5 and for FIPS enabled devices encryption used is AES256/SHA256.
LZ4 compression is used for ESP/SSL based tunnel.
If ESP fails or if the client does not support it, then the SSL tunnel is automatically used instead.
log messages will indicate UDP port 4500 packets for ESP traffic and TCP port 443 packets for SSL tunnel packets .
ESP is per community based and could be enabled for all network traffic or for UDP traffic only.