[c-nsp] IPSEC behind NAT device problem

mihai at duras.ro mihai at duras.ro
Thu Oct 18 10:41:52 EDT 2007


Hello,


I've got a problem with 2 IPSEC devices (one behind NAT) and am running
out of ideas on what to try to solve it.


The schematic looks like the following:


192.168.1.0/24 -- C3660 IPSEC -- 172.16.254.2 --- 172.16.254.1 - Linux BOX
doing NAT - public IP1 -- INTERNET ---  public IP2 -- Cisco PIX --
192.168.5.0/24


I've setup DNAT on the Linux box for UDP port 500 and ESP to the C3660
machine.

Also the peers are defined like this:

On C3660:
peer = public IP2 + secret
On PIX:
peer = public IP 1 + secret

I think that because of NAT IKE phase 1 might be failling (I see some
messages about Invalid Informational step 1), as the preshared key auth is
based on the IP header (and the IP src in the payload behind C3660 differs
from the public IP1).

Also on the PIX upon debugging I see something else:
Phase 2 - dupplicate packets

I don't know what else to try or how should I proceed to solve this.


I tried avoiding the problem by setting up Gre tunnel + IPSEC protection
but my PIX doesn't seem to support it.


If you have any solution for this I'd be grateful.


Thanks,
Mihai



More information about the cisco-nsp mailing list