IPsec over TCP
E522224
IPsec over TCP is a method of encapsulating IPsec traffic within TCP packets to traverse restrictive firewalls and NAT devices that block traditional IPsec protocols.
Statements (48)
| Predicate | Object |
|---|---|
| instanceOf |
VPN traversal method
ⓘ
network tunneling technique ⓘ |
| addressesProblem |
blocking of traditional IPsec protocols
ⓘ
firewalls blocking ESP ⓘ firewalls blocking IKE ⓘ firewalls blocking UDP encapsulated IPsec ⓘ |
| alternativeTo |
IPsec over UDP
ⓘ
NAT-T (UDP encapsulation for IPsec) NERFINISHED ⓘ |
| canBypass | firewalls that only allow outbound HTTPS-like traffic ⓘ |
| canComplicate | traffic inspection by middleboxes ⓘ |
| canUsePort | custom TCP port ⓘ |
| compatibleWith |
NAT devices that block ESP
ⓘ
stateful firewalls allowing only TCP ⓘ |
| configurationOptionIn | some commercial VPN products ⓘ |
| deploymentConsideration |
may be disabled by security policy due to obfuscation
ⓘ
must be enabled on both client and gateway ⓘ |
| encapsulatedWithin | TCP ⓘ |
| encapsulates |
ESP packets
ⓘ
IKE traffic ⓘ |
| encapsulationDirection | IPsec inside TCP ⓘ |
| goal | improve IPsec connectivity in hostile network environments ⓘ |
| hasPurpose |
traversing NAT devices
ⓘ
traversing restrictive firewalls ⓘ |
| improves | traversal through HTTP proxies when using TCP 443 ⓘ |
| isTransport | reliable byte-stream for IPsec packets ⓘ |
| layer | transport layer encapsulation ⓘ |
| mayCause | head-of-line blocking for encapsulated IPsec traffic ⓘ |
| mayImpact |
latency
ⓘ
throughput ⓘ |
| operatesOver |
IPv4
ⓘ
IPv6 ⓘ |
| relatedConcept |
SSL VPN
NERFINISHED
ⓘ
VPN over HTTPS ⓘ tunneling through restrictive networks ⓘ |
| requires |
IPsec-capable VPN client
ⓘ
IPsec-capable VPN gateway ⓘ TCP session establishment before IPsec traffic ⓘ |
| requiresConfiguration |
TCP port selection on VPN gateway
ⓘ
matching TCP port on VPN client ⓘ |
| securityProperty | preserves IPsec encryption and authentication semantics ⓘ |
| tradeOff |
increased overhead compared to native IPsec
ⓘ
potential TCP-over-TCP performance issues ⓘ |
| typicalTCPPort |
10000
ⓘ
443 ⓘ |
| usedIn |
enterprise VPN deployments
ⓘ
remote access VPNs ⓘ |
| usesProtocol | IPsec NERFINISHED ⓘ |
| visibilityToMiddleboxes | appears as generic TCP traffic ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.