I have a client that needs to establish an IPSec tunnel from behind PAT on an 804 ISDN router. The router will be configured to get a dynamic address on the BRI from the ISP. The node that is running the vpn client is directly connected to the ethernet port of the router. Is there any way to get this to work? If so how? Thanks...
I'm on a similar problem. I haven't tested yet, but I believe that you have to configure your VPN client using manual keys and with the same manual configuration on the other peer. You have to disable ISAKMP based on UDP port 500. You can refer to a configuration on "IPSEC user guide for the cisco secure PIX Firewall ver 5.3" is a pix 2 pix configuration but could be a good reference.
I have had this problem also in a similar (NAT) setup. ISAKMP would not work but Manual Keys were fine. I thinks it because the HASH on ISAKMP cant be turned off (you can only choose between MD5 or SHA) this and because of the NAT the packet will fail the HASH check.
Hope your configuration would be working by now. I have implemented a VPN covering 130 retail sites. Each site with a PC, one Cisco 803 and one ISDN BRI. The problem you have mentioned bugged me a lot. I struggled with Cisco Secure client and Check Point's Securemote. The problem is that, you need true NAT for this to function properly. In case of and 803 router dialing an ISP, what we get is a variable IP address each time. So, a true inbound NAT cannot be established. I used ETrust VPN from Computer Associates. It has no issues working through PAT.
Other way is to have an IPSec tunnel between 803 BRI to the head office PIX. With PIX you can have Dynamic crypto maps which can handle the variable IP addresses from originating routers.
I spent quite sometime on this and I am happy the setup is working superb. If you still have problems or need more information, feel free to contact me.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :