[c-nsp] IPSEC behind NAT device problem

Mihai Tanasescu mihai at duras.ro
Thu Oct 18 15:02:47 EDT 2007


Hello,


I don't think this is required. (the PIX has a public IP and no NAT in 
place).

Also nat-traversal would have been required (as far as I've read) on the 
C3660 router only if the Linux machine would have been unable to 
translate packets by default (which works).


This is what I found for Nat Traversal on Cisco website:

Although this feature addresses many incompatibilities between NAT and 
IPSec, the following problems still exist:

Internet Key Exchange (IKE) IP Address and NAT

This incompatibility applies only when IP addresses are used as a search 
key to find a preshared key. Modification of the IP source or 
destination addresses by NAT or reverse NAT results in a mismatch 
between the IP address and the preshared key.

Embedded IP Addresses and NAT

Because the payload is integrity protected, any IP address enclosed 
within IPSec packets cannot be translated by NAT. Protocols that use 
embedded IP addresses include FTP, Internet Relay Chat (IRC), Simple 
Network Management Protocol (SNMP), Lightweight Directory Access 
Protocol (LDAP), H.323, and Session Initiation Protocol (SIP).

Michael K. Smith - Adhost wrote:
> Did you try adding:
>
> isakmp nat-traversal 20
>
> on the PIX?  There may be a similar command on the 3600 but I'm not
> sure.
>
> Regards,
>
> Mike
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of mihai at duras.ro
>> Sent: Thursday, October 18, 2007 11:50 AM
>> To: Church, Charles
>> Cc: cisco-nsp at puck.nether.net; mihai at duras.ro
>> Subject: Re: [c-nsp] IPSEC behind NAT device problem
>>
>> No.
>>
>> I'm using ESP.
>>
>> This is my config:
>>
>> 192.168.5.0/24 -- PIX -- public(IP1) <----> INTERNET <---->
>>     
> public(IP2)
>   
>> Linux - 172.16.254.1 ---- 172.16.254.2 Cisco 3660 -- 192.168.6.0/24
>>
>>
>> On PIX:
>>
>> access-list ipsec permit ip 192.168.5.0 255.255.255.0 192.168.6.0
>> 255.255.255.0
>> access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0
>> 255.255.255.0
>> global (outside) 1 interface
>> nat (inside) 0 access-list nonat
>> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
>> isakmp enable outside
>> crypto ipsec transform-set avalanche esp-des
>> crypto ipsec security-association lifetime seconds 3600
>> crypto map forsberg 21 ipsec-isakmp
>> crypto map forsberg 21 match address ipsec
>> crypto map forsberg 21 set peer public-remote-IP(linux NAT)
>> crypto map forsberg 21 set transform-set avalanche
>> crypto map forsberg 21 set security-association lifetime seconds 28800
>> kilobytes 4608000
>> isakmp key ******** address public-remote-IP(linux NAT) netmask
>> 255.255.255.255
>> ! here I've also added a key for the IP behind NAT that initializes
>>     
> the
>   
>> connectiong..don't think it helps though ..but I've seen it in the
>> payload
>> upon debugging..so I thought it might be used instead of the public
>>     
> one
>   
>> for the initial authentication
>> isakmp key ******** address 172.16.254.2 netmask 255.255.255.255
>> isakmp identity address
>> isakmp policy 21 authentication pre-share
>> isakmp policy 21 encryption des
>> isakmp policy 21 hash md5
>> isakmp policy 21 group 1
>> isakmp policy 21 lifetime 86400
>>
>> On C3660 router:
>>
>> crypto isakmp policy 11
>>  hash md5
>>  authentication pre-share
>> crypto isakmp key n3$$t3@ address PIX-public-IP
>> !tried here with esp-des and esp-md5-hmac before removing the last one
>> ! and trying without any auth algorithm
>> crypto ipsec transform-set sharks esp-des
>> crypto map nolan 11 ipsec-isakmp
>>  set peer PIX-public-IP
>>  set transform-set sharks
>>  match address 120
>>
>> access-list 120 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
>>
>>
>>
>> On Thu, October 18, 2007 5:59 pm, Church, Charles wrote:
>>     
>>> Are you using AH?  That doesn't work with NAT, at least it didn't
>>>       
>> last
>>     
>>> time I did a lot of VPN stuff.
>>>
>>> Chuck
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>>       
>> mihai at duras.ro
>>     
>>> Sent: Thursday, October 18, 2007 10:42 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] IPSEC behind NAT device problem
>>>
>>>
>>> Hello,
>>>
>>>
>>>
>>> I've got a problem with 2 IPSEC devices (one behind NAT) and am
>>>       
>> running
>>     
>>> out of ideas on what to try to solve it.
>>>
>>>
>>> The schematic looks like the following:
>>>
>>>
>>>
>>> 192.168.1.0/24 -- C3660 IPSEC -- 172.16.254.2 --- 172.16.254.1 -
>>>       
>> Linux
>>     
>>> BOX
>>> doing NAT - public IP1 -- INTERNET ---  public IP2 -- Cisco PIX --
>>> 192.168.5.0/24
>>>
>>>
>>>
>>> I've setup DNAT on the Linux box for UDP port 500 and ESP to the
>>>       
>> C3660
>>     
>>> machine.
>>>
>>> Also the peers are defined like this:
>>>
>>>
>>> On C3660:
>>> peer = public IP2 + secret On PIX:
>>> peer = public IP 1 + secret
>>>
>>> I think that because of NAT IKE phase 1 might be failling (I see
>>>       
> some
>   
>>> messages about Invalid Informational step 1), as the preshared key
>>>       
>> auth is
>>     
>>> based on the IP header (and the IP src in the payload behind C3660
>>>       
>> differs
>>     
>>>  from the public IP1).
>>>
>>> Also on the PIX upon debugging I see something else:
>>> Phase 2 - dupplicate packets
>>>
>>>
>>> I don't know what else to try or how should I proceed to solve this.
>>>
>>>
>>>
>>> I tried avoiding the problem by setting up Gre tunnel + IPSEC
>>>       
>> protection
>>     
>>> but my PIX doesn't seem to support it.
>>>
>>>
>>> If you have any solution for this I'd be grateful.
>>>
>>>
>>>
>>> Thanks,
>>> Mihai
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>       
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     



More information about the cisco-nsp mailing list