[c-nsp] site to site ipsec vpn nat-t
Erik Klaassen
e.klaassen at fr-ix.nl
Fri Oct 31 11:07:33 EDT 2014
i feel i am almost there but I am stuck.
i am experimenting ipsec behind a nat device.
Perfectly working:
LAN<----->3845-router<----->internet<----->881-router<---->LAN
Not working:
LAN<----->3845-router<----->internet<----->nat-device<---->881-router<---->LAN
According to http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html it should be easy.
NAT-T should automatically kick in if it detects nat.
on the nat-device i created
ip nat inside source static upd 192.168.1.200 4500 interface fa4 4500 (192.168.1.200 outside interface of the 881)
ip nat inside source static upd 192.168.1.200 500 interface fa4 500
on the 3845 router esp, udp ports 500 and 4500 are open. the nat router and 881 router do not have any acl's(test setup). exept for the 881 having a vpn traffic acl.
result ping from 3845 router to 881:
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.200 91.194.XX.YY MM_NO_STATE 2031 0 ACTIVE (deleted)
I tried some options. cryptomap transport mode, crypto ipsec nat-transparency spi-matching
Before posting configs and debug it is maybe better to check and walk through the basic things
Kind regards,
Erik
More information about the cisco-nsp
mailing list