[c-nsp] IPSEC behind NAT device problem

Leonardo Gama Souza leonardo.souza at nec.com.br
Thu Oct 18 16:58:13 EDT 2007 

What are you seeing from 'debug crypto isakmp' output?

Notice you have 'isakmp identity address'.
If you do not use nat-t to preserve the peer ip address, the pre-shared
key authentication will fail.


------------------------------

Message: 6
Date: Thu, 18 Oct 2007 22:02:47 +0300
From: Mihai Tanasescu <mihai at duras.ro>
Subject: Re: [c-nsp] IPSEC behind NAT device problem
To: "Michael K. Smith - Adhost" <mksmith at adhost.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <4717ADD7.5050505 at duras.ro>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hello,


I don't think this is required. (the PIX has a public IP and no NAT in 
place).

Also nat-traversal would have been required (as far as I've read) on the

C3660 router only if the Linux machine would have been unable to 
translate packets by default (which works).


This is what I found for Nat Traversal on Cisco website:

Although this feature addresses many incompatibilities between NAT and 
IPSec, the following problems still exist:

Internet Key Exchange (IKE) IP Address and NAT

This incompatibility applies only when IP addresses are used as a search

key to find a preshared key. Modification of the IP source or 
destination addresses by NAT or reverse NAT results in a mismatch 
between the IP address and the preshared key.

Embedded IP Addresses and NAT

Because the payload is integrity protected, any IP address enclosed 
within IPSec packets cannot be translated by NAT. Protocols that use 
embedded IP addresses include FTP, Internet Relay Chat (IRC), Simple 
Network Management Protocol (SNMP), Lightweight Directory Access 
Protocol (LDAP), H.323, and Session Initiation Protocol (SIP).

Michael K. Smith - Adhost wrote:
> Did you try adding:
>
> isakmp nat-traversal 20
>
> on the PIX?  There may be a similar command on the 3600 but I'm not
> sure.
>
> Regards,
>
> Mike
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of mihai at duras.ro
>> Sent: Thursday, October 18, 2007 11:50 AM
>> To: Church, Charles
>> Cc: cisco-nsp at puck.nether.net; mihai at duras.ro
>> Subject: Re: [c-nsp] IPSEC behind NAT device problem
>>
>> No.
>>
>> I'm using ESP.
>>
>> This is my config:
>>
>> 192.168.5.0/24 -- PIX -- public(IP1) <----> INTERNET <---->
>>     
> public(IP2)
>   
>> Linux - 172.16.254.1 ---- 172.16.254.2 Cisco 3660 -- 192.168.6.0/24
>>
>>
>> On PIX:
>>
>> access-list ipsec permit ip 192.168.5.0 255.255.255.0 192.168.6.0
>> 255.255.255.0
>> access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0
>> 255.255.255.0
>> global (outside) 1 interface
>> nat (inside) 0 access-list nonat
>> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
>> isakmp enable outside
>> crypto ipsec transform-set avalanche esp-des
>> crypto ipsec security-association lifetime seconds 3600
>> crypto map forsberg 21 ipsec-isakmp
>> crypto map forsberg 21 match address ipsec
>> crypto map forsberg 21 set peer public-remote-IP(linux NAT)
>> crypto map forsberg 21 set transform-set avalanche
>> crypto map forsberg 21 set security-association lifetime seconds
28800
>> kilobytes 4608000
>> isakmp key ******** address public-remote-IP(linux NAT) netmask
>> 255.255.255.255
>> ! here I've also added a key for the IP behind NAT that initializes
>>     
> the
>   
>> connectiong..don't think it helps though ..but I've seen it in the
>> payload
>> upon debugging..so I thought it might be used instead of the public
>>     
> one
>   
>> for the initial authentication
>> isakmp key ******** address 172.16.254.2 netmask 255.255.255.255
>> isakmp identity address
>> isakmp policy 21 authentication pre-share
>> isakmp policy 21 encryption des
>> isakmp policy 21 hash md5
>> isakmp policy 21 group 1
>> isakmp policy 21 lifetime 86400
>>
>> On C3660 router:
>>
>> crypto isakmp policy 11
>>  hash md5
>>  authentication pre-share
>> crypto isakmp key n3$$t3@ address PIX-public-IP
>> !tried here with esp-des and esp-md5-hmac before removing the last
one
>> ! and trying without any auth algorithm
>> crypto ipsec transform-set sharks esp-des
>> crypto map nolan 11 ipsec-isakmp
>>  set peer PIX-public-IP
>>  set transform-set sharks
>>  match address 120
>>
>> access-list 120 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
>>
>>

More information about the cisco-nsp mailing list