[c-nsp] site to site ipsec vpn nat-t

Erik Klaassen e.klaassen at fr-ix.nl
Fri Oct 31 11:07:33 EDT 2014


i feel i am almost there but I am stuck. 
i am experimenting ipsec behind a nat device. 

Perfectly working: 
LAN<----->3845-router<----->internet<----->881-router<---->LAN 

Not working: 
LAN<----->3845-router<----->internet<----->nat-device<---->881-router<---->LAN 

According to http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html it should be easy. 
NAT-T should automatically kick in if it detects nat. 

on the nat-device i created 

ip nat inside source static upd 192.168.1.200 4500 interface fa4 4500 (192.168.1.200 outside interface of the 881) 
ip nat inside source static upd 192.168.1.200 500 interface fa4 500 

on the 3845 router esp, udp ports 500 and 4500 are open. the nat router and 881 router do not have any acl's(test setup). exept for the 881 having a vpn traffic acl. 


result ping from 3845 router to 881: 

#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA 
dst src state conn-id slot status 
192.168.1.200 91.194.XX.YY MM_NO_STATE 2031 0 ACTIVE (deleted) 

I tried some options. cryptomap transport mode, crypto ipsec nat-transparency spi-matching 

Before posting configs and debug it is maybe better to check and walk through the basic things 


Kind regards, 
Erik 



More information about the cisco-nsp mailing list