Always On VPN UDP Connection using Encapsulating Security Payload (ESP) is not working
In certain network configurations, an Always On VPN UDP connection using Encapsulating Security Payload (ESP) may not perform UDP Encapsulation of the ESP packet. It may behave similarly to a Layer 2 Tunneling Protocol (L2TP), where no UDP header or port is sent in the ESP packet. This will cause the VPN connection to fail on the LoadMaster.
Application: Always On VPN
An Always On VPN UDP connection using ESP may not function correctly through the LoadMaster without UDP Encapsulation of the ESP packets.
|Steps to Reproduce:|
|Cause:||When using IPsec with L2TP there is no UDP encapsulation. It's purely IP handling and the LoadMaster does not support this. In a packet capture taken on the LoadMaster, and after the ISAKMP authentication has been completed, the VPN will switch to using ESP for transmitting data. Within the ESP packets, there will be a notable absence of the UDP header or port number, where the packet will not be forwarded to the server and the VPN connection fails.|
|Resolution:||It will be necessary to ensure that the UDP VPN tunnels are UDP Encapsulated in order for this to function via the LoadMaster. This is a change required at the network level, where one suggestion could be to use NAT-T, which supports UDP Encapsulation. Please consult your network administrator, VPN provider or Internet Service Provider for further information.|
Always On VPN Configuration Guide:
Microsoft NAT-T UDP Encapsulation: