[c-nsp] Problem with cisco VPN, help please
Joel M Snyder
Joel.Snyder at Opus1.COM
Fri Aug 12 10:24:37 EDT 2005
> thank you for your help. Yes my VPN gateway is nated. The guy in the
> other side tell me that he recieves my packet, respond and then he
> recieves nothing (time out). It seems that I'm not receiving his
> response? I have activated the debug packet from the distant gateway, it
> gives :
> -- IP --
> xxx.xxx.xxx.xxx ==> 192.168.99.250
So, this says that he's generating a response to your MM packet 1, but
that response is going back to a 192.168.x.x address. Unless he has
some magic way of getting back to that address, this is a big part of
the problem. It actually looks like you're NOT being NATed, because the
response is going back to this 192.168 address.
I think that we'd need a lot more detail about who is being NATed (or
NAPTed), what system is doing tha NATing (i.e., it is smart enough to
deal with IKE+IPsec), and what your new external address is, in order to
figure it out. But the problem is somewhere in the combination of the
NAT/NAPT, the IKE peer identities, and how you might be doing
authentication.
Your life will be immeasurably easier if you can get the external IKE
address of your VPN gateway in an un-NATed state.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
More information about the cisco-nsp
mailing list