[c-nsp] EasyVPN server - clients behind NAT
Hroi Sigurdsson
hroi at asdf.dk
Thu Aug 19 12:36:58 EDT 2004
(apologies to Kristofer for the direct reply)
Kristofer Sigurdsson wrote:
> The NAT gateway supports IPSec passthrough, the client is set to "Enable Transparent Tunneling",
> with the "IPSec over UDP (NAT / PAT)" option selected, but the client, even in successful connections
> (no NAT), indicates that it is disabled, do I have to do anything on the VPN gateway for this to work?
>
> My guess is that this has something to do with the authentication header, I've heard something
> about that not working with NAT? I tried disabling hashing and removing authentication from the
> transform set, no luck.
On the PIX "isakmp nat-traversal" usually fixes this. Without it you
will sucessfully establish a connection, but no traffic flows. If you
check "Enable transparent tunneling" and connect to a PIX without
"isakmp nat-traversal" it won't tell you that it's not using transparent
tunneling but is instead sending "raw" ESP packets which are dropped by
some NATs.
--
Hroi Sigurdsson · NetGroup DataCenter A/S
St. Kongensgade 40H · DK-1264 Copenhagen K, Denmark
Phone: +45 3370 1544 · Fax: +45 7025 2687
More information about the cisco-nsp
mailing list