[c-nsp] IPSEC behind NAT device problem

mihai at duras.ro mihai at duras.ro
Thu Oct 18 13:49:36 EDT 2007


No.

I'm using ESP.

This is my config:

192.168.5.0/24 -- PIX -- public(IP1) <----> INTERNET <----> public(IP2)
Linux - 172.16.254.1 ---- 172.16.254.2 Cisco 3660 -- 192.168.6.0/24


On PIX:

access-list ipsec permit ip 192.168.5.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0
255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
isakmp enable outside
crypto ipsec transform-set avalanche esp-des
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer public-remote-IP(linux NAT)
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg 21 set security-association lifetime seconds 28800
kilobytes 4608000
isakmp key ******** address public-remote-IP(linux NAT) netmask
255.255.255.255
! here I've also added a key for the IP behind NAT that initializes the
connectiong..don't think it helps though ..but I've seen it in the payload
upon debugging..so I thought it might be used instead of the public one
for the initial authentication
isakmp key ******** address 172.16.254.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400

On C3660 router:

crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key n3$$t3@ address PIX-public-IP
!tried here with esp-des and esp-md5-hmac before removing the last one
! and trying without any auth algorithm
crypto ipsec transform-set sharks esp-des
crypto map nolan 11 ipsec-isakmp
 set peer PIX-public-IP
 set transform-set sharks
 match address 120

access-list 120 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255



On Thu, October 18, 2007 5:59 pm, Church, Charles wrote:
> Are you using AH?  That doesn't work with NAT, at least it didn't last
> time I did a lot of VPN stuff.
>
> Chuck
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mihai at duras.ro
> Sent: Thursday, October 18, 2007 10:42 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSEC behind NAT device problem
>
>
> Hello,
>
>
>
> I've got a problem with 2 IPSEC devices (one behind NAT) and am running
> out of ideas on what to try to solve it.
>
>
> The schematic looks like the following:
>
>
>
> 192.168.1.0/24 -- C3660 IPSEC -- 172.16.254.2 --- 172.16.254.1 - Linux
> BOX
> doing NAT - public IP1 -- INTERNET ---  public IP2 -- Cisco PIX --
> 192.168.5.0/24
>
>
>
> I've setup DNAT on the Linux box for UDP port 500 and ESP to the C3660
> machine.
>
> Also the peers are defined like this:
>
>
> On C3660:
> peer = public IP2 + secret On PIX:
> peer = public IP 1 + secret
>
> I think that because of NAT IKE phase 1 might be failling (I see some
> messages about Invalid Informational step 1), as the preshared key auth is
> based on the IP header (and the IP src in the payload behind C3660 differs
>  from the public IP1).
>
> Also on the PIX upon debugging I see something else:
> Phase 2 - dupplicate packets
>
>
> I don't know what else to try or how should I proceed to solve this.
>
>
>
> I tried avoiding the problem by setting up Gre tunnel + IPSEC protection
> but my PIX doesn't seem to support it.
>
>
> If you have any solution for this I'd be grateful.
>
>
>
> Thanks,
> Mihai
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>




More information about the cisco-nsp mailing list