VPN Client 3.x through NAT overload

Carlos A. Silva · ‎09-17-2002

I'm trying to set up the following:

PC1(vpn client)-|----DSL(NAT/PAT)----(internet)----Cisco1750(3DES-IPSEC)

|

PC2(vpn client)-|

The idea here is to be able to terminate VPN's through a DSL device that's doing PAT (NAT overload). The issue here is to be able to initiate different

SA's (from different PC's using VPN client 3.x) that are initiated from the same

public IP add (the one given by the ISP for the DSL connection).

On the VPN client I saw an option that 'allows' me to use the client over

NAT/PAT/FIREWALL, but it calls for me to designate a particular TCP arrival port that will be used to send the IPSec request to the tunnel terminator; the thing here is that i haven't found any info on how to use this.

Anyone tried this setup? Do you have a URL/configs I can take a look at?

Thanks,

carlos.

mklaphek · ‎09-18-2002

The feature you're referring to is called transparent tunneling. It uses either TCP or UDP as a transport, thereby allowing it to work through PAT devices. As far as I know, it's only supported on the VPN concentrator (the PIX is supposed to support this on the next release).

Someone correct me if I'm wrong, but I don't think it's supoprted on the router (yet).

ovt · ‎09-27-2002

Yes, but routers can do PAT and pass thru IPSec. PIX - cannot (?).

Look at http://www.cisco.com/warp/public/471/ios_pat_ipsec_tunnel.html

though it is of no use for the initial question.

holf · ‎10-04-2002

I know you can do the 'Allow IPSec over UDP' terminating on PiX 6.2(2), because I'm using it.

Have not been able to find out how to do 'IPSEC over TCP' though...

Not sure if it's possible using Router IOS.

jeff_caprock · ‎10-26-2002

It does work, but the transparent tunneling is irrelevant for router IOS because you're not tunneling thru to the actual IPSec device - the router _is_ the tunnel endpoint.

Yes, you can do NAT/PAT for vpns with different policies. Create different ipsec internal pools, and associate different SAs with those respective pools. Also, be sure to replace the existing NAT/PAT translations with the nonat route map shown in the IPSec examples.

-Jeff

enock_moubongo · ‎11-25-2002

Hi Jeff,

Here is my design:

VPN client 1--------|-----router----(IPSEC)---PIX

|

VPN client 2------- |

When i connect first with one client it's Ok!

When i connect the second client , the first one is dropped and the second is ok.

I'm doing PAT on the router and i'm uses UDP, router gets public IP address from ISP.

I've been said that multiple VPN clients cannot run at the same time behind PAT since IPSEC uses UDP port as source and destination address.

Are you sure it can work, if yes what should i implement on PIX ?

Regards,

jeff_caprock · ‎10-29-2002

I forgot to attach the working config, changed to remove my own stuff.

-Jeff

-----------------------------------------------------

username testvpn password 12345

!

ip subnet-zero

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group mygroup

key mykey

dns 192.168.1.5

wins 192.168.1.5

domain mydomain.net

pool ipsec-pool

!

crypto ipsec transform-set bciset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0/0

description Connected to Cisco 2924 Port 24

ip address 192.168.1.100 255.255.255.0

ip nat inside

half-duplex

!

interface Ethernet0/1

description Outside public interface

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

no cdp enable

crypto map clientmap

!

router ospf 1

log-adjacency-changes

redistribute connected subnets

redistribute static subnets

network 10.0.0.0 0.255.255.255 area 0.0.0.0

network 172.16.0.0 0.0.31.255 area 0.0.0.0

network 192.168.0.0 0.0.255.255 area 0.0.0.0

default-information originate

!

ip local pool ipsec-pool 192.168.0.50 192.168.0.75

!

ip nat inside source route-map nonat interface Ethernet0/1 overload

!

access-list 191 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 191 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 191

!