[c-nsp] IPSEC over NAT - what am I missing?

Garry gkg at gmx.de
Fri Jan 25 09:56:56 EST 2013


Hi,

I've tried to set up a VPN connection between two Cisco routers via a 4G 
link ... after having it running in a lab (without NAT though), we moved 
to config to the actual site routers and it failed ...

So now we went back to the Lab (GNS3 in this case) and tried again, 
activating NAT on the gateway in between. It also failed. After trying 
just about anything we could think of, we're at a dead end ... here's 
some excerpts from the configs ...

----
Site A (static IP):

crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNVPN 10
  set transform-set L2L
  set reverse-route distance 200
  match address VPNNETZE
  reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic DYNVPN
!
interface FastEthernet0/0
  description WAN1 phys.
  ip address 192.168.150.160 255.255.255.192
  duplex auto
  speed auto
  crypto map VPN
!
interface FastEthernet1/0
  description LAN
  ip address 105.1.5.70 255.0.0.0
  duplex auto
  speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.150.190
!
ip access-list extended VPNNETZE
  permit ip any 106.0.0.0 0.255.255.255

------------------------

Site B (dynamic IP, outgoing NAT on the gateway):

crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
crypto isakmp key test address 192.168.150.160
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
  set peer 192.168.150.160
  set transform-set L2L
  set reverse-route distance 200
  match address VPNNETZE
  reverse-route static
!
interface FastEthernet0/0
  description WAN1 physikalisch - LTE Modem
  ip address 192.168.2.2 255.255.255.0
  duplex auto
  speed auto
  crypto map VPN
!
interface FastEthernet1/0
  description VLAN1 LAN
  ip address 106.1.5.2 255.0.0.0
  duplex auto
  speed auto
!
ip access-list extended VPNNETZE
  permit ip 106.0.0.0 0.255.255.255 105.0.0.0 0.255.255.255

----------------------------

Gateway (simulating the Internet and the NATing gateway):

interface FastEthernet0/0
  ip address 192.168.150.190 255.255.255.192
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
!
interface FastEthernet0/1
  ip address 192.168.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
  permit ip 192.168.2.0 0.0.0.255 any

------------------------------------

No matter if NAT is enabled or not, the ISAKMP SA is up:

SiteA#sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.150.160 192.168.150.190 QM_IDLE           1005    0 ACTIVE

SiteB#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.150.160 192.168.2.2     QM_IDLE           1005    0 ACTIVE

But with NAT on the gateway, pings do not get through:

SiteB#ping 105.1.5.70 source fa1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.....

Packets are encrypted, though:

SiteB#show crypto ips sa

interface: FastEthernet0/0
     Crypto map tag: VPN, local addr 192.168.2.2

    protected vrf: (none)
    local  ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
    current_peer 192.168.150.160 port 4500
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12 <<<<<<<<<<<<<<<<
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 2, #recv errors 0

      local crypto endpt.: 192.168.2.2, remote crypto endpt.: 
192.168.150.160
      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
      current outbound spi: 0x4B38900E(1261998094)

The remote end does not accept those packets though:

SiteA#show crypto ip
*Mar  1 01:42:37: %SYS-5-CONFIG_I: Configured from console by admin on 
consoles sa

interface: FastEthernet0/0
     Crypto map tag: VPN, local addr 192.168.150.160

    protected vrf: (none)
    local  ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
    current_peer 192.168.150.190 port 4500
      PERMIT, flags={}
     #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <<<<<<<<<<<
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 0, #recv errors 0

      local crypto endpt.: 192.168.150.160, remote crypto endpt.: 
192.168.150.190
      path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
      current outbound spi: 0xBD4A7DDC(3175775708)

On the gateway, I see the NAT translation correctly:

Pro Inside global      Inside local       Outside local      Outside global
udp 192.168.150.190:4500 192.168.2.2:4500 192.168.150.160:4500 
192.168.150.160:4500

Site B notices it's behind NAT and switches to UDP 4500 correctly.

Anyway, I do get errors on either side:

*Mar  1 01:41:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC 
packet has invalid spi for destaddr=192.168.150.160, prot=50, 
spi=0x32040000(839122944), srcaddr=192.168.150.190

and

*Mar  1 01:29:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC 
packet has invalid spi for destaddr=192.168.2.2, prot=50, 
spi=0x32040000(839122944), srcaddr=192.168.150.160

Disabling NAT and clear ISAKMP, everything works as expected:

SiteB#clear crypto isa
SiteB#clear crypto sa
SiteB#ping 105.1.5.70 source fa1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.!!!!

What am I missing here????

Help appreciated,

Garry




More information about the cisco-nsp mailing list