Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

ipsec vpn behind nat

durale1789
Level 1
Level 1

‎05-29-2008 05:42 AM - edited ‎02-21-2020 03:44 PM

Hi, I would like to buld a site to siet vpn between 2 routers and behind nat:

172.16.0.0/24

|

|

91.103.32.1/24 (public)

|

|

100.2.3.4/24 (piublic)

|

|

192.168.20.1/24 (private)

I can easily assign a crypto map with 192.168.20.0/24 and peer destination 91.103.32.1 But how do i specify from 91.103.32.1 the peer address destination which is 192.168.20.1 but not directly "routable" because behind nat

Is there a way, a solution to make ipsec tunnels site to site but wit server client, kind of dynamic ipsec tunnel where one of the site initiate the tunnel to the server ...

regards,

alexandre durand

Labels:
0 Helpful
3 Replies 3

srue
Level 7
Level 7

‎05-29-2008 10:56 AM

just peer with the public IP of each side. if one side changes or is using a nat pool (instead of one to one nat) you will have to use another option, like dynamic crypto maps..

0 Helpful

michael.leblanc
Level 4
Level 4

‎05-29-2008 11:46 AM

Crypto maps are applied to the "external" interfaces, and peer statements in the crypto maps would reference the far-side "external" interface address.

Crypto ACLs would reference the "internal" network IDs, to identify traffic that requires crypto treatment.

If you are interested in dynamic crypto maps with control over which device initiates tunnel setup, you might want to read up on the "Easy VPN Remote" feature.

There are multiple modes that can be used on the remote side.

0 Helpful

durale1789
Level 1
Level 1
In response to michael.leblanc

‎05-30-2008 01:29 AM

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

here is the cisco url link where u can find further information about it:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

I m gonna test those 2 options

I still don t know how to push acl with easy vpn client and remote mode.

thank you for your advices

regards,

alex

regards,

alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents