Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
5
Replies

Site To Site VPN Issue (NAT?)

ldehmer
Level 1
Level 1

‎04-18-2008 06:26 AM - edited ‎03-11-2019 05:33 AM

Hello All,

I have been reading some of the post about Site to Site VPN with overlapping subnets. I could use a little guidance or further explanation to understand this a bit more. To start off here is the scenario. We have a VPN established with a vender of ours and they need access to several different hosts on several different subnets.

Subnets:

140.x.x.x

141.x.x.x

10.10.20.x

Our vender already has another VPN established with another customer that uses the 10.10.20.x subnet.

As it stands the vender only needs to access two different host (10.10.20.28 & 10.10.20.29)

I setup a NAT for each:

10.10.20.28 => 10.9.220.28

10.10.20.29 => 10.9.220.29

When they go to access this via the VPN I see the following show up when doing a debug:

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 10.10.8.10, src= 12.129.5.3,

dest_proxy= 10.9.220.28/255.255.255.255/0/0 (type=1),

src_proxy= 172.17.1.91/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 10.10.8.10, src= 12.129.5.3,

dest_proxy= 172.17.1.91/255.255.255.255/0/0 (type=1),

src_proxy= 10.9.220.28/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

Please note access to the other host on the other subnets works with out issues, it is just access to the two host in the overlapping - any help?

Thanks,

Labels:
0 Helpful
5 Replies 5

cisco24x7
Level 6
Level 6

‎04-18-2008 06:46 AM

Before I answer your question, keep in mind that I am not an expert in this

but I've worked quite a bit with NAT, double-NAT on Checkpoint firewall platform.

I am also familiar with Cisco platforms but not as well compared to Checkpoint

firewall platforms.

The vendors needs to put 10.9.220.28 and 10.9.220.29 in his remote encryption

domain. He knows nothing about your 10.10.20.28 and 10.10.20.29 on your end

nor should he care. When he initiates traffics from his end from host x.x.x.x

going to the destination of 10.9.220.28 10.9.220.29. So far, so good.

Now when the traffics get to your destination, after the traffics get

decrypted, your vpn device is responsibe for "de-nat" the destination

from 10.9.220.28 to 10.10.20.28 and 10.9.220.29 to 10.10.20.29.

Now the return traffics from 10.10.20.28 and .29 going back to vendor x.x.x.x

will be natted to 10.9.220.28 and .29, repsectively.

In summary, it will look like this, I will use Checkpoint terminology because

it is so much easier than checkpoint

Source Destination Translated-source Translated-dest.

x.x.x.x 10.9.220.28 & .29 original 10.10.20.28 & .29

10.10.20.28 & .29 x.x.x.x 10.9.220.28 & .29 original

It is a very simple process, if you think about this. What makes it hard

is all the stupid security level that cisco put on the interface. Because

of this, you have to takes into account policy NAT which is a pain in the ass

to configure. If you're not careful, you can cause a network outtage.

Does that help?

0 Helpful

ldehmer
Level 1
Level 1
In response to cisco24x7

‎04-18-2008 06:52 AM

Well, it just so happens the vender we have the VPN with is using checkpoint…

I will see what we can puzzle out from here and come back…

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ldehmer

‎04-18-2008 07:19 AM

David is spot on with this.

"IPSEC(validate_transform_proposal): proxy identities not supported"

This basically means that the remote and local subnets that your pix thinks it is using do not agree with the local and remote subnets that your vendor thinks they should be using

so preusmably you have a crypto map access-list that says

access-list vpntraffic permit ip host 10.9.220.28 host 172.17.1.91

The vendor must have the exact same local and remote network (host) entries on his checkpoint.

Jon

0 Helpful

ldehmer
Level 1
Level 1
In response to Jon Marshall

‎04-18-2008 07:45 AM

access-list outside_cryptomap_20 permit ip object-group GRP-INSIDE object-group GRP-OUTSIDE

I have the subnet on the vender side part of GRP-OUTSIDE and the 10.9.220.29 host part of the GRP-INSIDE

0 Helpful

cisco24x7
Level 6
Level 6
In response to ldehmer

‎04-18-2008 09:23 AM

The complexity comes in play when you have to

configure VPN and NAT/double-NAT on the same

device. This is a really bad design. It will

make troubleshooting and support very difficult.

The sensible approach is to separate VPN and

Firewall into two different components. That

will make life much easier in term of support

and troubleshooting.

my 2c

Preview file
18 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card