08-07-2008 06:48 AM - edited 02-21-2020 03:52 PM
I'm having a little bit of a problem getting a site-to-site VPN established using NAT through the tunnel, so maybe someone would be able to help me out.
The internal network behind my firewall needs to be hidden since the other company is already using a network address the same as our internal network address. When the other company issues a ping from their network to our network (the network that we configured to hide our actual internal network), the VPN tunnel gets established and they are able to receive replies to the ping. However, when we try to ping the other company's network from ours, the debug messages show that the VPN peer is added but then deleted and the ping is unsuccessful. I posted the relevant part of the config on our end and the debugging messages. All the ipsec parameters are in match on both ends. Any help would be appreciated. Thanks.
Our real internal - 192.168.2.0
Their internal - 172.29.0.0
Network for hiding real internal - 192.168.81.0
Conig
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list OTHER_COMPANY permit ip 192.168.81.0 255.255.255.0 172.29.0.0 255.255.0.0
access-list PRINTER1 permit ip host 192.168.2.240 172.29.0.0 255.255.0.0
access-list PRINTER2 permit ip host 192.168.2.12 172.29.0.0 255.255.0.0
access-list OTHER_COMPANY-NAT permit ip 192.168.2.0 255.255.255.0 172.29.0.0 255.255.0.0
.
.
global (outside) 2 interface
global (outside) 1 192.168.81.100
nat (inside) 0 access-list VPN
nat (inside) 1 access-list OTHER_COMPANY-NAT 0 0
nat (inside) 2 192.168.2.0 255.255.255.0 0 0
static (inside,outside) 192.168.81.240 access-list PRINTER1 0 0
static (inside,outside) 192.168.81.12 access-list PRINTER2 0 0
.
.
.
sysopt connection permit-ipsec
crypto ipsec transform-set STRONG-DES esp-3des esp-sha-hmac
crypto dynamic-map CISCO 4 set transform-set STRONG-DES
crypto map partner-map 15 ipsec-isakmp
crypto map partner-map 15 match address OTHER_COMPANY
crypto map partner-map 15 set peer {OTHER_COMPANY PUBLIC IP}
crypto map partner-map 15 set transform-set STRONG-DES
crypto map partner-map 15 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map partner-map 50 ipsec-isakmp dynamic CISCO
crypto map partner-map client authentication IASAUTH
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address {OTHER_COMPANY PUBLIC IP} netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
08-07-2008 06:50 AM
Debugging
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 495671930:1d8b5a7aIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xc399bd41(3281632577) for SA
from {THEIR PUBLIC IP} to {OUR PUBLIC IP} for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:{THEIR PUBLIC IP}/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:{THEIR PUBLIC IP}/500 Ref cnt incremented to:1 Total VPN Peers:2
crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP}4 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 0, message ID = 2413798605
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1208134764, spi size = 16
ISAKMP (0): deleting SA: src {OUR PUBLIC IP}, dst {THEIR PUBLIC IP}
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xadf26c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:{THEIR PUBLIC IP}/500 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:{THEIR PUBLIC IP}/500 Total VPN peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with {THEIR PUBLIC IP}
08-07-2008 09:08 AM
Nevermind I figured out my problem. The access-lists were not completely the opposite than what they had configured on their end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide