Hello Johann
When you configure any type of VPN on a device, if you take no further action, only one VPN client can connect to the VPN at any one time. Remember, the VPN functionality takes place at Layer 3. Yes, IKE negotiation uses UDP 500, but that’s just for IKE. The actual traffic is sent using regular TCP and UDP ports as determined by the applications using them.
This is a “problem” that exists whether you are attempting to connect multiple VPN clients to a single VPN headend device, or if you are trying to reserve specific ports to use to access the CLI interface of the router itself. Both of these problems can be resolved by using NAT.
There are basically three solutions to this:
- NAT Traversal - This method uses UDP port 500 for IKE negotiation, but then tunnels IPSec data within UDP packets using port 4500. This should free up other ports to be used for other purposes.
- IPSec over UDP - This method uses UDP port 500 for IKE negotiation, but tunnels all IPSec data within a predefined UDP port, which by default is port 10000.
- IPSec over TCP - This method tunnels both IKE negotiation and IPsec data traffic within a predefined TCP port.
FlexVPN supports NAT traversal. For more information about IPSec over UDP and TCP, take a look at this Cisco community thread:
I hope this has been helpful!
Laz