ipsec vpn behind nat

Unanswered Question
May 29th, 2008

Hi, I would like to buld a site to siet vpn between 2 routers and behind nat:

172.16.0.0/24

|

|

91.103.32.1/24 (public)

|

|

100.2.3.4/24 (piublic)

|

|

192.168.20.1/24 (private)

I can easily assign a crypto map with 192.168.20.0/24 and peer destination 91.103.32.1 But how do i specify from 91.103.32.1 the peer address destination which is 192.168.20.1 but not directly "routable" because behind nat

Is there a way, a solution to make ipsec tunnels site to site but wit server client, kind of dynamic ipsec tunnel where one of the site initiate the tunnel to the server ...

regards,

alexandre durand

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 05/29/2008 - 10:56

just peer with the public IP of each side. if one side changes or is using a nat pool (instead of one to one nat) you will have to use another option, like dynamic crypto maps..

michael.leblanc Thu, 05/29/2008 - 11:46

Crypto maps are applied to the "external" interfaces, and peer statements in the crypto maps would reference the far-side "external" interface address.

Crypto ACLs would reference the "internal" network IDs, to identify traffic that requires crypto treatment.

If you are interested in dynamic crypto maps with control over which device initiates tunnel setup, you might want to read up on the "Easy VPN Remote" feature.

There are multiple modes that can be used on the remote side.

durale1789 Fri, 05/30/2008 - 01:29

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

here is the cisco url link where u can find further information about it:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

I m gonna test those 2 options

I still don t know how to push acl with easy vpn client and remote mode.

thank you for your advices

regards,

alex

regards,

alex

Actions

This Discussion