Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

Atn. Cisco! Backup LAN-to-LAN is incompatible with NAT on VPN3k

Hi!

I'm trying to setup redundant Site-to-Site VPN with a single VPN 3000 box in the remote site and two VPN 3000 boxes in the central site. Central site boxes are placed into the DMZ behind a NAT gateway with static NAT configured. Redundancy is achieved with Back LAN-to-LAN feature: Remote site VPN 3000 is configured as "Initiate-only" and central site boxes are configured as "Answer-only".

Unfortunately this setup doesn't work. Remote site VPN 3000 immediately tries to initiate the tunnel and suggests the following Proxy IDs in Phase 2 ID Payload: "<Remote-IP>/32, <Central-site-Global-IP>/32". The central site box doesn't know that his Public-intf IP is NATed to <Central-site-Global-IP> and rejects the tunnel:

"Tunnel rejected: Policy not found for Src:<Remote-IP>, Dst: <Central-site-Global-IP>!"

Two questions:

1. What is the reason to create an extra /32 to /32 SAs in Backup LAN-to-LAN ??? Why not just create a tunnel between remote and local subnets as usual?

2. Is there a way to work around this problem?

Regards,

Oleg Tipisov,

REDCENTER

103
Views
0
Helpful
0
Replies