BugZero | Cisco BugID CSCvw21213 - ENH IOS-XE implement IKEv2 nat force-encap on resp...

Cisco - Defect ID: CSCvw21213

ENH IOS-XE implement IKEv2 nat force-encap on responder side

Cisco - Defect ID: CSCvw21213

ENH IOS-XE implement IKEv2 nat force-encap on responder side

Last updated on 4/28/2025

Overall: 3.13.1

Severity: 3.73.7

Lifecycle: 44.0

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.13.1

Severity: 3.73.7

Lifecycle: 44.0

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

This is enhancement to force UDP encapsulation for ESP packets from the responder side of the IKEv2 tunnel.

Conditions

No NAT between IKEv2 VPN peers and UDP encapsulation is needed - e.g. due to ISP blocking ESP (protocol 50).

Workaround

Force UDP encapsulation on the initiator: crypto ikev2 profile nat force-encap Initiator needs to run IOS-XE 16.9.1 or newer or IOS 15.7(03)M02 or newer.

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvw21213

ENH IOS-XE implement IKEv2 nat force-encap on responder side

Cisco - Defect ID: CSCvw21213

ENH IOS-XE implement IKEv2 nat force-encap on responder side

Last updated on 4/28/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?