Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

GRE-IPSEC Tunnel Problem with NAT-T

Hi,

Maybe someone has come across this problem before, we're trying to build a GRE tunnel over the internet running IPSEC.

Our routerA is a 1841 directly connected to the ISP's broadband router (which we have no control over) This is the remote site.

Our internal connection to their router is via F0/1 and static private addresses are assigned, we can ping the ISP's interface with no problems and can prove internet connectivity is working ok.

One thing to note is we are not performing any NAT function's on our cisco1841, and the ISP router is setup for Transparent NAT (so they say).

The GRE / IPSEC tunnel configs at both ends are correct + have been tested in lab environment (obviously without the ISP in the loop), however the tunnel's wont come up/up even though were getting hits on the access lists at both sides.

When we turned on 'debug crypto isakmp' we see the tunnel trying to establish at both sides + retrying 5 times, however we see some unusual ISAKMP debug messages relating to NAT-T (full debug log attached)

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

*May 7 18:10:26.596: ISAKMP (0:0): vendor ID is NAT-T v7

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): processing vendor id payload

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 20.138.253.190

*May 7 18:10:26.596: ISAKMP:(0:0:N/A:0): local preshared key found

This has happened with 3 different sites in Europe, all with different ISP's.

Im not 100% sure if this is an ISP issue relating to the setup of their router performing the NAT functions, or maybe even if we're seeing a bug in the IOS relating to NAT-T. In the meantime I've asked for the configs / logs from the ISP.

Any help where to troubleshoot would be much appreciated.

Cheers.

1 REPLY
Bronze

Re: GRE-IPSEC Tunnel Problem with NAT-T

Can you send over the configurations

You seem to have a phase 1 issue, it's not negotiating correctly.

Thanks

654
Views
0
Helpful
1
Replies
CreatePlease to create content