Question on IPSec manual keying/ NAT

Unanswered Question
Jul 29th, 2008
User Badges:
  • Bronze, 100 points or more

I have a requirement to setup an IPSec VPN between two peers using manual keying.


Network is as per the attachment;


The local peer is 10.0.1.2 but seen as 185.0.1.5 by the remote peer. 185.0.1.5 is actually assigned to a host but this device is not involved in IPSec peering with the remote peer(197.20.20.1).



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 07/30/2008 - 02:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

based on ur tpology adding the following command

ip nat inside source static esp 10.0.1.2 185.0.1.5

ip nat inside source static udp 10.0.1.2 500 185.0.1.5 500

so R1 will make static maping with regard to the two protocols here udp 500 (isakmp) and esp

when the remote host start the vpn connection to the 185.0.1.5

the command above allows the translation of ISAKMP traffic (UDP port 500) and esp to the specified inside local address


hop this answered your question


rate if helpful please

rsgamage1 Wed, 07/30/2008 - 03:10
User Badges:
  • Bronze, 100 points or more

Hi Marwan,


First of all,


ip nat inside source static esp {ip} {ip}

is not supported,


but

ip nat inside source static esp {ip} {interface}


I've tested this using c2800nm-spservicesk9-mz.124-3f.


I'm wondering how to realize it with the interface option


Any suggestions please?





rsgamage1 Wed, 07/30/2008 - 03:29
User Badges:
  • Bronze, 100 points or more

I tried something like this,


ip nat inside source static 10.0.1.2 185.0.1.5 route-map TEST reversible


route-map TEST permit

match ip address 101


access-list 101 permit esp host 10.0.1.2 host 197.20.20.1


Also I've applied,

ip nat inside on 10.0.1.2 connecting interface and


ip nat outside on interface connecting to the remote peer.



In my opnion udp 500 is not required in this case (Manual Keying).


What do you think about this?


Thanks for your comments and suggestions.

Marwan ALshawi Wed, 07/30/2008 - 03:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

why u doing it like this long

just nating as i told u

without route map easier to config and to troubleshoot

this is a complete example will help u alot just follow the concepts and config then let me know


Interface s2/0 is the NAT inside address

!

interface Serial2/0

ip address 10.10.10.2 255.255.255.0

ip nat inside

!

!

! Interface serial 2/1 is the NAT outside address

!

interface Serial2/1

ip address 192.168.3.1 255.255.255.0

ip nat outside

!

!

! The static translations here allows the Berlin gateway to initiate IPsec

! connections to the London gateway.

!

ip nat inside source list 10 interface Serial2/1 overload

ip nat inside source static esp 10.10.10.1 interface Serial2/1

ip nat inside source static udp 10.10.10.1 500 interface Serial2/1 500

!

access-list 10 permit 10.10.10.0 0.0.0.255


good luck

rsgamage1 Wed, 07/30/2008 - 03:48
User Badges:
  • Bronze, 100 points or more

Thanks for sharing an example Marwan.


If the interface command option is applied it will simply take the IP of the outside interface as the local peer, right?


If you have a closer look into my scenario, you'd see that I need it to take the IP of an inside host connecting to a 3rd interface, instead.


Have I overlooked something here?




Marwan ALshawi Wed, 07/30/2008 - 03:35
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ok no problem

it is right should be interface

bu i have put it like this to make easier for understanding

what u mean how realize it ?

when you put interface and the interface type/number

it will consider the ip address configured on that interface

so if your ouside interface configured with 10.0.1.1 so it will be mapped from 10.0.1.1 to the other ip in the nat statment



rsgamage1 Wed, 07/30/2008 - 03:40
User Badges:
  • Bronze, 100 points or more

I don't think we could achieve this with the interface option.



Marwan ALshawi Wed, 07/30/2008 - 04:11
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

then why u dont use ur outside interface?


also try the following but i am not sure

lets say the outsid einterface of the remote router 2.2.2.2

access-list 100 permit ip host 2.2.2.2 host (the destination ip u want)


route-map map1 permit 10

match ip address 100

set ip next-hop 10.0.1.2


then apply this with policy-map statement on the outside interface


again never tried it with IPsec

good luck

rsgamage1 Wed, 07/30/2008 - 04:46
User Badges:
  • Bronze, 100 points or more

The NAT with route-map(I posted previously) works for locally originated (interesting) traffic.


However when the remote side initiates the tunnel it does not seem to come up. What you've proposed with your route map may be used in this case.


But I'm not sure whether you could run ip nat outside and ip policy route-map on the same outside interface to control outbound and inbound traffic respectively.

Marwan ALshawi Wed, 07/30/2008 - 04:59
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i am stil wondring why u dont use ur external interface as the termination point for vpn

which is the best practice and will solve ur problem !!!!

rsgamage1 Wed, 07/30/2008 - 05:21
User Badges:
  • Bronze, 100 points or more

No, Marwan as I said this was encountered during a network migration process which has to be performed without any intervention by the remote party.


Actually the current peer is 185.0.1.5, if you consider the scenario. So the idea is to change it with a different peer device, pretending it to be the same in IP network layer. That's why the new device 10.0.1.2 is there acting as 185.0.1.5 to the remote peer.


I understand your point very clearly. However in my opinion, this is where we need to have ideas and workarounds to cope with such situations.


What I have realized is a NAT route-map with Outside-to-Inside support;


http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnato2n.html#wp1046681


The feature design says that an initial session from inside-to-outside is required to trigger this NAT translation(This is exactly what I see with my setup).


However, practically in my case the tunnel needs to be initiated by the remote-side as well.


This can be accomplished relatively easily with Posix/Iptables and hoping it would be the case with Cisco too.


rsgamage1 Wed, 07/30/2008 - 23:59
User Badges:
  • Bronze, 100 points or more

Hi,


Any suggestions with regard to remote peer initiated IPSec tunnel deployments please?


I am unable to get it working with route-map for ESP traffic.


Thanks for your thoughts and time.



a.alekseev Thu, 07/31/2008 - 03:23
User Badges:
  • Gold, 750 points or more

why you cannot use just simple

ip nat inside source static ip 10.0.1.2 185.0.1.5


?

Marwan ALshawi Thu, 07/31/2008 - 03:57
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

thats what i have been mentioning either static nat

or static pat (port forward)


ip nat inside source static ip 10.0.1.2 185.0.1.5


or

ip nat inside source static esp 10.0.1.2 185.0.1.5


ip nat inside source static udp 10.0.1.2 500 185.0.1.5 500


this will simply map any connection to 10.0.1.5 to 10.0.1.2

for the first command


with the second two command u gonna map only vpn


ur case maping matter

in other words NATING

rsgamage1 Thu, 07/31/2008 - 04:32
User Badges:
  • Bronze, 100 points or more

We are going back to our previous discussion, I guess.


If we take ip nat inside source static we have {A.B.C.D},esp, network,tcp and udp as options.


Here we have a specific option for esp where you could specify only an "interface".


That is one thing.


And.. to answer Aleksey's question:


I'm trying to do kind of IP spoofing here;

I'm using 10.0.1.2(consider it is connected via FE0/1 of R1) to setup IPSec peering with a remote peer but pretending that it is from 185.0.1.5 (connected via FE0/0).

However my nat inside interface is FE0/1 (10.0.1.1) and nat outside interface is FE1/0(outside interface).


In this case, would simple ip nat inside source static {ip} {ip} work ?


I've tried that unsuccessfully anyway.


Have I missed anything?


Thanks for your time already.

rsgamage1 Sat, 08/02/2008 - 04:11
User Badges:
  • Bronze, 100 points or more

It is a case related to IPSec manual keying.


I could get it working only in one way with,

ip nat inside source static {ip} {ip} route-map name reversible for ESP traffic, but a simple nat as you've suggested.



rsgamage1 Mon, 08/04/2008 - 04:17
User Badges:
  • Bronze, 100 points or more

Hi,


According the example you've sent it is,

ip nat inside source static esp 172.16.1.2 interface Serial1/0 for ESP traffic.


However, this doesn't work for me as my architecture is different. So is the requirement. Hope it's clear.






Actions

This Discussion