UDP Tunnel Mode
A network address translator (NAT) allows multiple private network addresses to share a single, public IPv4
address. But address translation also means that client-to-client networking applications, such as VoIP and video
conferencing, will not work properly: these applications need to know a user's IP address in order to establish
and maintain a reliable connection.
ESP (Encapsulating Security Payload) is a way to encapsulate and decapsulate packets inside of a UDP wrapper
(port 4500) for traversing NATs. Using it can improve the performance of UDP-streaming applications like VoIP.
For more information on ESP, see RFCs 2406 and 3948:
ESP encapsulation is the default setting for newly defined communities. UDP port 4500 must be open in
network firewalls for traffic to and from the appliance's external IP addresses and virtual IP addresses when
using it. If the external appliance traffic is subject to NAT, then NAT must be configured for UDP port 4500. Also,
in rare cases where the network environment does not properly implement PMTU discovery (see RFC 1191),
certain applications may run inefficiently or perhaps not at all when using ESP encapsulation.
When enabled, ESP use is automatically negotiated between a client and the SMA appliance. You can choose to
use it for all traffic or just UDP traffic; if ESP fails or if the client does not support it, then the SSL tunnel is
automatically used instead. The User Sessions page in AMC indicates which type of tunnel is being used.
The log files also indicate which tunnel was used: log messages will indicate UDP port 4500 packets for ESP
traffic and TCP port 443 packets for SSL tunnel packets.
Was This Article Helpful?
Help us to improve our support portal