Question on IPSec manual keying/ NAT

Unanswered Question
Jul 29th, 2008

I have a requirement to setup an IPSec VPN between two peers using manual keying.

Network is as per the attachment;

The local peer is but seen as by the remote peer. is actually assigned to a host but this device is not involved in IPSec peering with the remote peer(

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Wed, 07/30/2008 - 02:49

based on ur tpology adding the following command

ip nat inside source static esp

ip nat inside source static udp 500 500

so R1 will make static maping with regard to the two protocols here udp 500 (isakmp) and esp

when the remote host start the vpn connection to the

the command above allows the translation of ISAKMP traffic (UDP port 500) and esp to the specified inside local address

hop this answered your question

rate if helpful please

rsgamage1 Wed, 07/30/2008 - 03:10

Hi Marwan,

First of all,

ip nat inside source static esp {ip} {ip}

is not supported,


ip nat inside source static esp {ip} {interface}

I've tested this using c2800nm-spservicesk9-mz.124-3f.

I'm wondering how to realize it with the interface option

Any suggestions please?

rsgamage1 Wed, 07/30/2008 - 03:29

I tried something like this,

ip nat inside source static route-map TEST reversible

route-map TEST permit

match ip address 101

access-list 101 permit esp host host

Also I've applied,

ip nat inside on connecting interface and

ip nat outside on interface connecting to the remote peer.

In my opnion udp 500 is not required in this case (Manual Keying).

What do you think about this?

Thanks for your comments and suggestions.

Marwan ALshawi Wed, 07/30/2008 - 03:39

why u doing it like this long

just nating as i told u

without route map easier to config and to troubleshoot

this is a complete example will help u alot just follow the concepts and config then let me know

Interface s2/0 is the NAT inside address


interface Serial2/0

ip address

ip nat inside



! Interface serial 2/1 is the NAT outside address


interface Serial2/1

ip address

ip nat outside



! The static translations here allows the Berlin gateway to initiate IPsec

! connections to the London gateway.


ip nat inside source list 10 interface Serial2/1 overload

ip nat inside source static esp interface Serial2/1

ip nat inside source static udp 500 interface Serial2/1 500


access-list 10 permit

good luck

rsgamage1 Wed, 07/30/2008 - 03:48

Thanks for sharing an example Marwan.

If the interface command option is applied it will simply take the IP of the outside interface as the local peer, right?

If you have a closer look into my scenario, you'd see that I need it to take the IP of an inside host connecting to a 3rd interface, instead.

Have I overlooked something here?

Marwan ALshawi Wed, 07/30/2008 - 03:35

ok no problem

it is right should be interface

bu i have put it like this to make easier for understanding

what u mean how realize it ?

when you put interface and the interface type/number

it will consider the ip address configured on that interface

so if your ouside interface configured with so it will be mapped from to the other ip in the nat statment

rsgamage1 Wed, 07/30/2008 - 03:40

I don't think we could achieve this with the interface option.

Marwan ALshawi Wed, 07/30/2008 - 04:11

then why u dont use ur outside interface?

also try the following but i am not sure

lets say the outsid einterface of the remote router

access-list 100 permit ip host host (the destination ip u want)

route-map map1 permit 10

match ip address 100

set ip next-hop

then apply this with policy-map statement on the outside interface

again never tried it with IPsec

good luck

rsgamage1 Wed, 07/30/2008 - 04:46

The NAT with route-map(I posted previously) works for locally originated (interesting) traffic.

However when the remote side initiates the tunnel it does not seem to come up. What you've proposed with your route map may be used in this case.

But I'm not sure whether you could run ip nat outside and ip policy route-map on the same outside interface to control outbound and inbound traffic respectively.

Marwan ALshawi Wed, 07/30/2008 - 04:59

i am stil wondring why u dont use ur external interface as the termination point for vpn

which is the best practice and will solve ur problem !!!!

rsgamage1 Wed, 07/30/2008 - 05:21

No, Marwan as I said this was encountered during a network migration process which has to be performed without any intervention by the remote party.

Actually the current peer is, if you consider the scenario. So the idea is to change it with a different peer device, pretending it to be the same in IP network layer. That's why the new device is there acting as to the remote peer.

I understand your point very clearly. However in my opinion, this is where we need to have ideas and workarounds to cope with such situations.

What I have realized is a NAT route-map with Outside-to-Inside support;

The feature design says that an initial session from inside-to-outside is required to trigger this NAT translation(This is exactly what I see with my setup).

However, practically in my case the tunnel needs to be initiated by the remote-side as well.

This can be accomplished relatively easily with Posix/Iptables and hoping it would be the case with Cisco too.

rsgamage1 Wed, 07/30/2008 - 23:59


Any suggestions with regard to remote peer initiated IPSec tunnel deployments please?

I am unable to get it working with route-map for ESP traffic.

Thanks for your thoughts and time.

a.alekseev Thu, 07/31/2008 - 03:23

why you cannot use just simple

ip nat inside source static ip


Marwan ALshawi Thu, 07/31/2008 - 03:57

thats what i have been mentioning either static nat

or static pat (port forward)

ip nat inside source static ip


ip nat inside source static esp

ip nat inside source static udp 500 500

this will simply map any connection to to

for the first command

with the second two command u gonna map only vpn

ur case maping matter

in other words NATING

rsgamage1 Thu, 07/31/2008 - 04:32

We are going back to our previous discussion, I guess.

If we take ip nat inside source static we have {A.B.C.D},esp, network,tcp and udp as options.

Here we have a specific option for esp where you could specify only an "interface".

That is one thing.

And.. to answer Aleksey's question:

I'm trying to do kind of IP spoofing here;

I'm using it is connected via FE0/1 of R1) to setup IPSec peering with a remote peer but pretending that it is from (connected via FE0/0).

However my nat inside interface is FE0/1 ( and nat outside interface is FE1/0(outside interface).

In this case, would simple ip nat inside source static {ip} {ip} work ?

I've tried that unsuccessfully anyway.

Have I missed anything?

Thanks for your time already.

rsgamage1 Sat, 08/02/2008 - 04:11

It is a case related to IPSec manual keying.

I could get it working only in one way with,

ip nat inside source static {ip} {ip} route-map name reversible for ESP traffic, but a simple nat as you've suggested.

rsgamage1 Mon, 08/04/2008 - 04:17


According the example you've sent it is,

ip nat inside source static esp interface Serial1/0 for ESP traffic.

However, this doesn't work for me as my architecture is different. So is the requirement. Hope it's clear.


This Discussion