I am attempting to build a GRE tunnel running over IPSEC through a NAT device, exposing my hub router with
a static NAT address. The ISAKMP SA appears to go QM_IDLE for a little while but then the tunnel building process starts again and it goes to a MM_NO_STATE while another session goes to QM_IDLE. The EIGRP neighbor never comes up. This works over the internet to this same public IP address, but not over this MPLS network via the static-NATted address. I think I am missing something really simple but can't put my finger on it.
Hub Router has a public IP address that I am NATting to a 10.52.254.192 address to expose it on to a MPLS network, the NAT device is a Checkpoint firewall. The "spoke" router has a private address that is routable from end to end. Below are my configs:
interface Tunnel3 bandwidth 45000 ip address 10.48.3.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication GMACI ip nhrp map multicast dynamic ip nhrp network-id 48003 ip nhrp holdtime 360 ip nhrp server-only no ip split-horizon eigrp 1 delay 1000 qos pre-classify tunnel source FastEthernet0/1
tunnel mode gre multipoint tunnel key 48003 tunnel protection ipsec profile vpnprof1 hold-queue 4096 in ip rsvp bandwidth 20000 1500
*****THIS ADDRESSES HAS A STATIC NAT AT FW TO 10.52.254.192*********** ip address <PUBLIC-ADDR> 255.255.255.0 crypto map VDM_CMAP_0 hold-queue 1500 in ip rsvp bandwidth 20000 1500
As far as i understand , you are doing ipsec encapsulation before you do the nat , so NAT is actually modifying your ip packet and it would fail when it reaches the recipent on the far end. here's a good explantion from cisco on NAT IMPACT on IPSec :-
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :