[c-nsp] EasyVPN server - clients behind NAT

Kristofer Sigurdsson ks at rhi.hi.is
Thu Aug 19 07:20:35 EDT 2004


Hello,

I've been having some problems with clients connecting to my VPN server.  It
seems that clients that are behind NAT can't connect.  I have tried this myself,
and managed to reproduce the error, quite simple, if I'm behind NAT, I can't connect.

The NAT gateway supports IPSec passthrough, the client is set to "Enable Transparent Tunneling",
with the "IPSec over UDP (NAT / PAT)" option selected, but the client, even in successful connections
(no NAT), indicates that it is disabled, do I have to do anything on the VPN gateway for this to work?

My guess is that this has something to do with the authentication header, I've heard something
about that not working with NAT?  I tried disabling hashing and removing authentication from the
transform set, no luck.

I'm using an EasyVPN server on 7206VXR (NPE-G1), VPN accelerator card, IOS 12.3(9a), clients I've
tried are Cisco VPN Client 4.0.3 and 4.0.5 for Windows and 4.0.2 for MacOS X.

Any ideas?

Thanks in advance,

-- 
Kristófer Sigurðsson		   | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfræðingur/Network specialist | Reiknistofnun HÍ/University of Iceland


More information about the cisco-nsp mailing list