Atn. Cisco! Backup LAN-to-LAN is incompatible with NAT on VPN3k
I'm trying to setup redundant Site-to-Site VPN with a single VPN 3000 box in the remote site and two VPN 3000 boxes in the central site. Central site boxes are placed into the DMZ behind a NAT gateway with static NAT configured. Redundancy is achieved with Back LAN-to-LAN feature: Remote site VPN 3000 is configured as "Initiate-only" and central site boxes are configured as "Answer-only".
Unfortunately this setup doesn't work. Remote site VPN 3000 immediately tries to initiate the tunnel and suggests the following Proxy IDs in Phase 2 ID Payload: "<Remote-IP>/32, <Central-site-Global-IP>/32". The central site box doesn't know that his Public-intf IP is NATed to <Central-site-Global-IP> and rejects the tunnel:
"Tunnel rejected: Policy not found for Src:<Remote-IP>, Dst: <Central-site-Global-IP>!"
1. What is the reason to create an extra /32 to /32 SAs in Backup LAN-to-LAN ??? Why not just create a tunnel between remote and local subnets as usual?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...