Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISAKMP/IPSEC Stateful

Does anyone know if the process of creating phase 1 and phase 2 is a stateful connection or does it create a new connection somewhat like FTP?

Do you have link explaining it?

I have 2 firewalls, firewall A is Inet EDge, Firewall B is the VPN box.

Firewall A provides NAT for all outgoing traffic.ALl traffic goes out a PAT.

Traffic for the VPN incoming is established by using a policy NAT. Not a static. I see traffic for the tunnel hitting the vpn box but phase 2 is never established. I'm afarid phase 2 is using the PAT as the peer. Is this possible?

I know creating a static would solve my problem but I'm mostly interested in how the communication for the tunnel is completed.

  • Firewalling
2 REPLIES

Re: ISAKMP/IPSEC Stateful

Hi,

If your devices support IpSec Nat Traversal, then there shouldn't be any issues in ipsec tunnel formation.

Check this url for explanation on how ipsec detects the existence of NAT along the path and how subsequent stages are handled in IPSec NAT Traversal feature.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm

Have you done any troubleshooting to capture some debug outputs, to examine what is going on during phase 1 and phase 2 attempts..

To troubleshoot further, you may have to capture some diagnostics command and debugs on the involved devices.

Hope this helps.

-VJ

Re: ISAKMP/IPSEC Stateful

Hi ..

Even using static translation .. if your end device does not support NAT-Transparency then you will not be able to establish the tunnel. The main reason is because NAT changes the IP header which results in mismatches between end points. NAT-Traversal overcomes this by encapsulating Ipsec packets on upper layer protocol such as UDP before the NAT header is added. In that way the original Ipsec packet is not modified in transit.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

I hope it helps .. please rate it if it does !!!

104
Views
0
Helpful
2
Replies
This widget could not be displayed.