[c-nsp] IPSEC behind NAT device problem
Church, Charles
cchurc05 at harris.com
Thu Oct 18 10:59:00 EDT 2007
Are you using AH? That doesn't work with NAT, at least it didn't last
time I did a lot of VPN stuff.
Chuck
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mihai at duras.ro
Sent: Thursday, October 18, 2007 10:42 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSEC behind NAT device problem
Hello,
I've got a problem with 2 IPSEC devices (one behind NAT) and am running
out of ideas on what to try to solve it.
The schematic looks like the following:
192.168.1.0/24 -- C3660 IPSEC -- 172.16.254.2 --- 172.16.254.1 - Linux
BOX
doing NAT - public IP1 -- INTERNET --- public IP2 -- Cisco PIX --
192.168.5.0/24
I've setup DNAT on the Linux box for UDP port 500 and ESP to the C3660
machine.
Also the peers are defined like this:
On C3660:
peer = public IP2 + secret
On PIX:
peer = public IP 1 + secret
I think that because of NAT IKE phase 1 might be failling (I see some
messages about Invalid Informational step 1), as the preshared key auth
is
based on the IP header (and the IP src in the payload behind C3660
differs
from the public IP1).
Also on the PIX upon debugging I see something else:
Phase 2 - dupplicate packets
I don't know what else to try or how should I proceed to solve this.
I tried avoiding the problem by setting up Gre tunnel + IPSEC protection
but my PIX doesn't seem to support it.
If you have any solution for this I'd be grateful.
Thanks,
Mihai
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list