[c-nsp] IPSEC behind NAT device problem

Michael K. Smith - Adhost mksmith at adhost.com
Thu Oct 18 14:00:26 EDT 2007


Did you try adding:

isakmp nat-traversal 20

on the PIX?  There may be a similar command on the 3600 but I'm not
sure.

Regards,

Mike

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of mihai at duras.ro
> Sent: Thursday, October 18, 2007 11:50 AM
> To: Church, Charles
> Cc: cisco-nsp at puck.nether.net; mihai at duras.ro
> Subject: Re: [c-nsp] IPSEC behind NAT device problem
> 
> No.
> 
> I'm using ESP.
> 
> This is my config:
> 
> 192.168.5.0/24 -- PIX -- public(IP1) <----> INTERNET <---->
public(IP2)
> Linux - 172.16.254.1 ---- 172.16.254.2 Cisco 3660 -- 192.168.6.0/24
> 
> 
> On PIX:
> 
> access-list ipsec permit ip 192.168.5.0 255.255.255.0 192.168.6.0
> 255.255.255.0
> access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0
> 255.255.255.0
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
> isakmp enable outside
> crypto ipsec transform-set avalanche esp-des
> crypto ipsec security-association lifetime seconds 3600
> crypto map forsberg 21 ipsec-isakmp
> crypto map forsberg 21 match address ipsec
> crypto map forsberg 21 set peer public-remote-IP(linux NAT)
> crypto map forsberg 21 set transform-set avalanche
> crypto map forsberg 21 set security-association lifetime seconds 28800
> kilobytes 4608000
> isakmp key ******** address public-remote-IP(linux NAT) netmask
> 255.255.255.255
> ! here I've also added a key for the IP behind NAT that initializes
the
> connectiong..don't think it helps though ..but I've seen it in the
> payload
> upon debugging..so I thought it might be used instead of the public
one
> for the initial authentication
> isakmp key ******** address 172.16.254.2 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 21 authentication pre-share
> isakmp policy 21 encryption des
> isakmp policy 21 hash md5
> isakmp policy 21 group 1
> isakmp policy 21 lifetime 86400
> 
> On C3660 router:
> 
> crypto isakmp policy 11
>  hash md5
>  authentication pre-share
> crypto isakmp key n3$$t3@ address PIX-public-IP
> !tried here with esp-des and esp-md5-hmac before removing the last one
> ! and trying without any auth algorithm
> crypto ipsec transform-set sharks esp-des
> crypto map nolan 11 ipsec-isakmp
>  set peer PIX-public-IP
>  set transform-set sharks
>  match address 120
> 
> access-list 120 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
> 
> 
> 
> On Thu, October 18, 2007 5:59 pm, Church, Charles wrote:
> > Are you using AH?  That doesn't work with NAT, at least it didn't
> last
> > time I did a lot of VPN stuff.
> >
> > Chuck
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> mihai at duras.ro
> > Sent: Thursday, October 18, 2007 10:42 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] IPSEC behind NAT device problem
> >
> >
> > Hello,
> >
> >
> >
> > I've got a problem with 2 IPSEC devices (one behind NAT) and am
> running
> > out of ideas on what to try to solve it.
> >
> >
> > The schematic looks like the following:
> >
> >
> >
> > 192.168.1.0/24 -- C3660 IPSEC -- 172.16.254.2 --- 172.16.254.1 -
> Linux
> > BOX
> > doing NAT - public IP1 -- INTERNET ---  public IP2 -- Cisco PIX --
> > 192.168.5.0/24
> >
> >
> >
> > I've setup DNAT on the Linux box for UDP port 500 and ESP to the
> C3660
> > machine.
> >
> > Also the peers are defined like this:
> >
> >
> > On C3660:
> > peer = public IP2 + secret On PIX:
> > peer = public IP 1 + secret
> >
> > I think that because of NAT IKE phase 1 might be failling (I see
some
> > messages about Invalid Informational step 1), as the preshared key
> auth is
> > based on the IP header (and the IP src in the payload behind C3660
> differs
> >  from the public IP1).
> >
> > Also on the PIX upon debugging I see something else:
> > Phase 2 - dupplicate packets
> >
> >
> > I don't know what else to try or how should I proceed to solve this.
> >
> >
> >
> > I tried avoiding the problem by setting up Gre tunnel + IPSEC
> protection
> > but my PIX doesn't seem to support it.
> >
> >
> > If you have any solution for this I'd be grateful.
> >
> >
> >
> > Thanks,
> > Mihai
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list