Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
1
Replies

GRE-IPSEC Tunnel Problem with NAT-T

morgan.brownlie
Level 1
Level 1

‎05-08-2008 04:55 AM - edited ‎02-21-2020 03:42 PM

Hi,

Maybe someone has come across this problem before, we're trying to build a GRE tunnel over the internet running IPSEC.

Our routerA is a 1841 directly connected to the ISP's broadband router (which we have no control over) This is the remote site.

Our internal connection to their router is via F0/1 and static private addresses are assigned, we can ping the ISP's interface with no problems and can prove internet connectivity is working ok.

One thing to note is we are not performing any NAT function's on our cisco1841, and the ISP router is setup for Transparent NAT (so they say).

The GRE / IPSEC tunnel configs at both ends are correct + have been tested in lab environment (obviously without the ISP in the loop), however the tunnel's wont come up/up even though were getting hits on the access lists at both sides.

When we turned on 'debug crypto isakmp' we see the tunnel trying to establish at both sides + retrying 5 times, however we see some unusual ISAKMP debug messages relating to NAT-T (full debug log attached)

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*May 7 18:10:26.596: ISAKMP (0:0): vendor ID is NAT-T v7

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 20.138.253.190

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): local preshared key found

This has happened with 3 different sites in Europe, all with different ISP's.

Im not 100% sure if this is an ISP issue relating to the setup of their router performing the NAT functions, or maybe even if we're seeing a bug in the IOS relating to NAT-T. In the meantime I've asked for the configs / logs from the ISP.

Any help where to troubleshoot would be much appreciated.

Cheers.

Labels:
Preview file
16 KB
0 Helpful
1 Reply 1

tj.mitchell
Level 4
Level 4

‎05-08-2008 09:17 AM

Can you send over the configurations

You seem to have a phase 1 issue, it's not negotiating correctly.

Thanks

0 Helpful
Customers Also Viewed These Support Documents