I setup Cisco PIX 515 in my lab to test IPSec VPN. The PIX is behind a Linksys WRTP54G router and UDP port 500 is open. I can establish the VPN in the LAN, but I get not connected error if I test it from a remote office that is behind another PIX 515E. I am not sure the problem is the Linksys router or PIX in the office. Any suggestions?
I hope you will not mind if I tell you someting about the Client logs.
From line 1 to 5 this is initial connection to find the peer and establish a connection for further phase 1 negotiations.
from line 6 to 8 is internal processing of VPN Client.
Line 9 is confirmation from the peer (gateway) that it received the packet and ready for further negotiations (Since we are the initiator the peer will never propose, we have to propose the policies)
From 10 to ... negotiation of the packets (Phase 1 policies)
Somethings of interest.
DPD = Dead peer detection. To find out if the peer (any) is alive or not (something like keepalives).
xauth=extended authentication (the peer is telling that it can support xauth like radius or ad or ldap)
Line 14 is telling you that it also has something which it did not understand and will ignore. (The IPSEC RFC permits that the peer can send what they are capable of and the other peer can accept or reject)
Line 15 is very important as it tells you that the peer supports NAT Traversal (encapsulation of IPSEC packet in UDP on port 4500)
Line 16: Now I know with whom I am talking to.
Line 17: Confirmation that initial contact was succeded
Line 19 is Very Important because this is the problem
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
convert 0x1194to decimal. It is 4500 (not 500) why?
Line 20 tells you the reason
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end IS behind a NAT device
It says that the peers are behind a NAT device. Somewhere in between a NAT-D packet was sent automatically by the peers (because you have isa nat-trav 20 command in the PIX). The NAT-D packet is nothing but the hashed ip address of the peer in the packet. If the peer is behind a NAT device the hash will break which means the device is behind a NAT otherwise not.
So, in short, the problem is that you need to open up UDP/500 as well as UDP 4500 in the device infront of the PIX so that phase 2 can complete.
As soon as the peers find out that they are behind a NAT device they start encapsulating the IPSEC packet both nego and traffic in UDP (the source port is random higher numbered port and destination will be 4500, the nego phase will use source and desti as 4500)
Let me know if you are interested in other highlighted elements in the logs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...