Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RVS4000 - we require peer to have ID 'a.a.a.a', but peer declares 'b.b.b.b'

Hello,

What is the good of advertising that you support NAT-T when clearly you don't.

Perhaps inbound client based VPN but what about outbound IPSec tunneling?

Consider this diagram...

RVS4000 IPSec Through NAT Issue.png

Host 2 sits behind "RVS4000v2 Bravo" policy allow it to create an IPSec tunnel with the Cisco2821 sitting in this DMZ. This IPSec passes through a firewall where no translations happen and everything is perfect.

Unfortunately Host 1 is behind "RVS4000v2 Alpha" (c.c.c.c) on the Internet and because of security reasons, I cannot provide the Cisco2821 with direct Internet connecivity. The NAT'ing is working as all appears that the systems understand that there is NAT in path but yet the RVS4000-Alpha still gets spooked when the Phase2 Offer message is from b.b.b.b (Cisco 2821) and not a.a.a.a (Firewall NAT'ed Cisco 2821).

I have full IP capability as my devices do pass Phase 1 (as seen on the Cisco 2821)

ISAKMP: (4009):SA has been authenticated with a.a.a.a

ISAKMP: Trying to insert a peer b.b.b.b/a.a.a.a/500/,  and inserted successfully 47FE1CD8.

On The RVS4000:
Feb 18 14:08:14 - [VPN Log]: "PZ_Outside" #2: we require peer to have ID 'a.a.a.a', but peer declares 'b.b.b.b'
Feb 18 14:08:14 - [VPN Log]: "PZ_Outside" #2: sending encrypted notification INVALID_ID_INFORMATION to a.a.a.a:4500

On the Cisco2821(Inside the Firewall addressed a.a.a.a):
*Feb 18 19:02:45.847: ISAKMP: reserved not zero on HASH payload!
*Feb 18 19:02:45.847: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from c.c.c.c failed its sanity check or is malformed
*Feb 18 19:02:45.847: ISAKMP:(4019):deleting node -712730088 error TRUE reason "Invalid payload"

Is there anyway to fix this? Is there no NAT-Traversal Enable function on the RVS4000? Is there no configurable item where I could tell the RVS4000 to accept the offer from a.a.a.a even if inside the offer, it is coming from b.b.b.b?

Thanks Chris

1 REPLY
Silver

RVS4000 - we require peer to have ID 'a.a.a.a', but peer declare

Chris,

Hopefully someone from the products team will see this post and give some input as i know if the RVS4000 is behind another router this isn't a supported configuration.

Jasbryan

1637
Views
0
Helpful
1
Replies
CreatePlease login to create content