This document describes how to configure an Easy VPN (EzVPN) server and client to support Cisco Tunneling Control Protocol (cTCP). This sample configuration demonstrates a configuration for IPsec over TCP on any port. This feature is introduced in Cisco IOS® Software Release 12.4(9)T and is now supported in Cisco IOS Software Releases 12.4(20)T and later.
Cisco Tunneling Control Protocol enables VPN clients to operate in environments where standard ESP protocol (port 50) or IKE protocol (UDP port 500) are not permitted. For a variety of reasons, firewalls can not permit ESP or IKE traffic, which blocks VPN communication. cTCP solves this problem, because it encapsulates ESP and IKE traffic in the TCP header so that firewalls do not see it.
Ensure that your Easy VPN(EzVPN) server is configured for client connections. Refer to Cisco IOS Router as Easy VPN Server Using Cisco Configuration Professional Configuration Example for information on how to configure a Cisco IOS Router as an Easy VPN server .
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Complete these steps in order to configure Cisco IOS Router (Easy VPN Server) to support cTCP on port 10000 :
Choose Configure > Security > VPN > Easy VPN Server, and click Global Settings in order to edit the Global Settings.
Check the Enable cTCP checkbox in order to enable cTCP.
Note: The port number 10000 is used by default. If required, the port number can be changed.
Complete these steps:
Choose Configure > Security > VPN > Easy VPN Remote, and click Edit in order to edit the client settings for cTCP configuration.
Click the Firewall Bypass tab and under the Automatic Firewall Bypass section and specify the Port Number and Keepalive time in seconds. Ensure that the checkbox next to Enable Easy VPN access through firewall is checked.
Note: The port number 10000 is used by default. If required the port number can be changed. Check with the remote administrator in order to verify which port number is used on the Easy VPN server since the server and client must use the same port number.
Click OK in order to complete the configuration.
There is no troubleshooting information available for this configuration.