Secure Mobile Access 12.4 Administration Guide

UDP Tunnel Mode

A network address translator (NAT) allows multiple private network addresses to share a single, public IPv4 address. But address translation also means that client-to-client networking applications, such as VoIP and video conferencing, will not work properly: these applications need to know a user's IP address in order to establish and maintain a reliable connection.

ESP (Encapsulating Security Payload) is a way to encapsulate and decapsulate packets inside of a UDP wrapper (port 4500) for traversing NATs. Using it can improve the performance of UDP-streaming applications like VoIP. For more information on ESP, see RFCs 2406 and 3948:

http://www.ietf.org/rfc/rfc2406.txt

http://www.ietf.org/rfc/rfc3948.txt

ESP encapsulation is the default setting for newly defined communities. UDP port 4500 must be open in network firewalls for traffic to and from the appliance's external IP addresses and virtual IP addresses when using it. If the external appliance traffic is subject to NAT, then NAT must be configured for UDP port 4500. Also, in rare cases where the network environment does not properly implement PMTU discovery (see RFC 1191), certain applications may run inefficiently or perhaps not at all when using ESP encapsulation.

When enabled, ESP use is automatically negotiated between a client and the SMA appliance. You can choose to use it for all traffic or just UDP traffic; if ESP fails or if the client does not support it, then the SSL tunnel is automatically used instead. The User Sessions page in AMC indicates which type of tunnel is being used.

The log files also indicate which tunnel was used: log messages will indicate UDP port 4500 packets for ESP traffic and TCP port 443 packets for SSL tunnel packets.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.