08-30-2010 07:07 PM
I am attempting to build a GRE tunnel running over IPSEC through a NAT device, exposing my hub router with
a static NAT address. The ISAKMP SA appears to go QM_IDLE for a little while but then the tunnel building process starts again and it goes to a MM_NO_STATE while another session goes to QM_IDLE. The EIGRP neighbor never comes up. This works over the internet to this same public IP address, but not over this MPLS network via the static-NATted address. I think I am missing something really simple but can't put my finger on it.
Hub Router has a public IP address that I am NATting to a 10.52.254.192 address to expose it on to a MPLS network, the NAT device is a Checkpoint firewall. The "spoke" router has a private address that is routable from end to end. Below are my configs:
**********************************SPOKE ROUTER***************************************************
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 36000
crypto isakmp key <KEY> address 10.52.254.192
interface Tunnel3
bandwidth 1544
ip address 10.48.3.3 255.255.255.0
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication GMACI
ip nhrp map multicast 10.52.254.192
ip nhrp map 10.48.1.1 10.52.254.192
ip nhrp map 10.48.3.1 10.52.254.192
ip nhrp network-id 48003
ip nhrp holdtime 360
ip nhrp nhs 10.48.2.1
ip nhrp cache non-authoritative
delay 1000
shutdown
qos pre-classify
tunnel source GigabitEthernet0/1.500
tunnel destination 10.52.254.192
tunnel key 48003
tunnel protection ipsec profile vpnprof1
interface GigabitEthernet0/1.500
encapsulation dot1Q 500
ip address 10.30.20.254 255.255.255.0
*******************************HUB ROUTER*********************
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 36000
crypto isakmp key <KEY> address 10.30.20.254
interface Tunnel3
bandwidth 45000
ip address 10.48.3.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GMACI
ip nhrp map multicast dynamic
ip nhrp network-id 48003
ip nhrp holdtime 360
ip nhrp server-only
no ip split-horizon eigrp 1
delay 1000
qos pre-classify
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 48003
tunnel protection ipsec profile vpnprof1
hold-queue 4096 in
ip rsvp bandwidth 20000 1500
interface FastEthernet0/1
*****THIS ADDRESSES HAS A STATIC NAT AT FW TO 10.52.254.192***********
ip address <PUBLIC-ADDR> 255.255.255.0
crypto map VDM_CMAP_0
hold-queue 1500 in
ip rsvp bandwidth 20000 1500
08-31-2010 09:47 AM
I see one typo under your spoke configuration.
ip nhrp nhs 10.48.2.1
It should be 'ip nhrp nhs 10.48.3.1'.
08-31-2010 02:43 PM
As far as i understand , you are doing ipsec encapsulation before you do the nat , so NAT is actually modifying your ip packet and it would fail when it reaches the recipent on the far end. here's a good explantion from cisco on NAT IMPACT on IPSec :-
Thanks
Manish
09-01-2010 05:40 AM
Thanks to both of you for your help.
I fixed my typo and took IPSEC off and it is working fine now. This is going accross an MPLS network so encryption really is not needed.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: