[c-nsp] IPSEC over NAT - what am I missing?
Garry
gkg at gmx.de
Fri Jan 25 09:56:56 EST 2013
Hi,
I've tried to set up a VPN connection between two Cisco routers via a 4G
link ... after having it running in a lab (without NAT though), we moved
to config to the actual site routers and it failed ...
So now we went back to the Lab (GNS3 in this case) and tried again,
activating NAT on the gateway in between. It also failed. After trying
just about anything we could think of, we're at a dead end ... here's
some excerpts from the configs ...
----
Site A (static IP):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNVPN 10
set transform-set L2L
set reverse-route distance 200
match address VPNNETZE
reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic DYNVPN
!
interface FastEthernet0/0
description WAN1 phys.
ip address 192.168.150.160 255.255.255.192
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet1/0
description LAN
ip address 105.1.5.70 255.0.0.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.150.190
!
ip access-list extended VPNNETZE
permit ip any 106.0.0.0 0.255.255.255
------------------------
Site B (dynamic IP, outgoing NAT on the gateway):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key test address 192.168.150.160
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.150.160
set transform-set L2L
set reverse-route distance 200
match address VPNNETZE
reverse-route static
!
interface FastEthernet0/0
description WAN1 physikalisch - LTE Modem
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet1/0
description VLAN1 LAN
ip address 106.1.5.2 255.0.0.0
duplex auto
speed auto
!
ip access-list extended VPNNETZE
permit ip 106.0.0.0 0.255.255.255 105.0.0.0 0.255.255.255
----------------------------
Gateway (simulating the Internet and the NATing gateway):
interface FastEthernet0/0
ip address 192.168.150.190 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
------------------------------------
No matter if NAT is enabled or not, the ISAKMP SA is up:
SiteA#sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.150.160 192.168.150.190 QM_IDLE 1005 0 ACTIVE
SiteB#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.150.160 192.168.2.2 QM_IDLE 1005 0 ACTIVE
But with NAT on the gateway, pings do not get through:
SiteB#ping 105.1.5.70 source fa1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.....
Packets are encrypted, though:
SiteB#show crypto ips sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
current_peer 192.168.150.160 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12 <<<<<<<<<<<<<<<<
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.2.2, remote crypto endpt.:
192.168.150.160
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4B38900E(1261998094)
The remote end does not accept those packets though:
SiteA#show crypto ip
*Mar 1 01:42:37: %SYS-5-CONFIG_I: Configured from console by admin on
consoles sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.150.160
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
current_peer 192.168.150.190 port 4500
PERMIT, flags={}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <<<<<<<<<<<
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.150.160, remote crypto endpt.:
192.168.150.190
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xBD4A7DDC(3175775708)
On the gateway, I see the NAT translation correctly:
Pro Inside global Inside local Outside local Outside global
udp 192.168.150.190:4500 192.168.2.2:4500 192.168.150.160:4500
192.168.150.160:4500
Site B notices it's behind NAT and switches to UDP 4500 correctly.
Anyway, I do get errors on either side:
*Mar 1 01:41:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=192.168.150.160, prot=50,
spi=0x32040000(839122944), srcaddr=192.168.150.190
and
*Mar 1 01:29:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=192.168.2.2, prot=50,
spi=0x32040000(839122944), srcaddr=192.168.150.160
Disabling NAT and clear ISAKMP, everything works as expected:
SiteB#clear crypto isa
SiteB#clear crypto sa
SiteB#ping 105.1.5.70 source fa1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.!!!!
What am I missing here????
Help appreciated,
Garry
More information about the cisco-nsp
mailing list