Problem with VPN behind the NAT

Unanswered Question
Jul 8th, 2008

I have this scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
p.bryliov Tue, 07/08/2008 - 04:21

Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?

p.bryliov Tue, 07/08/2008 - 18:47

PIX 515E

Cisco PIX Security Appliance Software Version 7.0(1)

a.alekseev Tue, 07/08/2008 - 03:48

debug crypto ipsec

debug crypto isakmp

no access-list 120

access-list 120 permit ip host 192.168.34.1 host 192.168.11.7

no ip access-list extended VPN

ip access-list extended VPN

permit ip host 192.168.11.7 host 192.168.34.1

p.bryliov Tue, 07/08/2008 - 04:45

I have attached debug without deleting access-list. After deleting access-list on c2811 vpn tunnel rised up. Bat atfter I reload c871 and vpn again not rising up from c2811

Attachment: 
a.alekseev Tue, 07/08/2008 - 04:52

so... Was it working?

try to add on both sides

ctypto isakmp keepalive 10

crypto isakmp invalid-spi-recovery

after that do

clear crypto sa

clear crypto isa sa

p.bryliov Wed, 07/09/2008 - 00:05

Yes I have read this guid and this confuse me

If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).

Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT

Actions

This Discussion