Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSec NAT Transparency

Hello all

On IOS 12.2.13T IPSec NAT Transparency has been implemented, so if the client is behind a PAT mechanism will be able to work (till now, we had to use VPN Concetrator for that).

The bad news is that it didnt work for me.. Although I upgraded my cisco1751 to that version, when my client connects i get "Transparent Tunneling: Inactive" on my client. With the same client, on a VPN Concetrator, i get 'Active' and it works..

According to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm#xtocid12 which describes the new IOS feature, there isnt much i should do in order to enable IPSEC Nat Transparency..

Is there anyone that made this feature work?

Regards

9 REPLIES
Cisco Employee

Re: IPSec NAT Transparency

I think you might have the wrong idea about this new feature. Are you thinking that this allows you to connect a Cisco VPN client in IPSec over UDP mode, like you can to a VPN concentrator?

If so, this is not what this is used for. This new feature, NAT-T, is a new standards-based feature that allows IPSec gateways to automatically detect if there's a NAT/PAT device in between them and their IPSec peer, and if so, automatically encapsulate the IPSec packets into UDP port 4500 packets.

NAT-T was introduced in the VPN Client in 3.6 and later, and was introduced in the router in 12.2(13)T as you have seen, so make sure you're running at least 3.6 of the client code. Make sure you have UDP port 4500 open between the router and client also.

Remember though, this is NOT IPSec over UDP like you're used to with the concentrator. It works similar, but is different and I don't think you see any "Transparent Tunnelling: active" on the client if it detects that it needs to use NAT-T. In clients 3.6 and above they'll first try to connect using the standard-based NAT-T (UDP port 4500), and then (if enabled) they'll try with the non-standard "IPsec over UDP" on port 10000.

Community Member

Re: IPSec NAT Transparency

Anyway is NOT working at all: I just upgrade a 826 to 12.2.13T IP/FW/VOICE PLUS 3DES (is the only available with FW and VPN, why voice?... no idea) and is absolutely not working.

After the establishment of the ipsec connection (without NAT/UDP) the vpn disconnect after some seconds (from 2 to 40 sec)

"debug crypto ipsec" tell me:

IPSEC(epa_des_crypt): decrypted packet failed SA identity check

I downgrade to the previews release (without changing the config) and in works again (at lease the ipsec vpn without NAT-T)

I don’t try to put a NAT router in between…

regards

e.l
Community Member

Re: IPSec NAT Transparency

Hi Glen,

Your posting is always very helpfull. Really appreciate for your detailed answer.

Are you online on the "eSupport" forum also ?

Best Regards,

Engelhard M. Labiro

Community Member

Re: IPSec NAT Transparency

Thanx alot for your answer, I actually used client ver 3.6 and my problem was solved. Thanx again

Community Member

Re: IPSec NAT Transparency

One last question..

You are refering to a 'NAT-T, a new standards-based feature..'

What standards are you refering to? Is there an RFC or any other document describing the above?

Thanx again for your time!

Community Member

Re: IPSec NAT Transparency

So named NAT-T still is not a standard. There is an IETF IPSec draft for it:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-04.txt

Cisco support it in the latest OS-es for VPN3K concentrator and the latest version (3.6) of the VPN client.

Community Member

Re: IPSec NAT Transparency

I retry!

By me the new IOS 12.2.13T with NAT-T dosen't works. I load the new IOS on a 826:

After the establishment of the ipsec connection (without NAT/UDP) the vpn disconnect after some seconds (from 2 to 40 sec)

I start debugging (debug crypto ipsec):

IPSEC(epa_des_crypt): decrypted packet failed SA identity check

I downgrade to the previews release (without changing the config) and it works again.

PLEASE HELP ME

regards

Community Member

Re: IPSec NAT Transparency

Don't worry. That seems to be a bug. Open a case in Cisco TAC, otherwise there is no guarantee that somebody will fix it.

Community Member

Re: IPSec NAT Transparency

Looks like several of us have fallen prey to the same bug. You may find it interesting to read my post of 08-Mar-2003 with the title "ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806"

619
Views
14
Helpful
9
Replies
CreatePlease to create content