Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8262
Views
8
Helpful
4
Replies

IPSEC using port 500 vice 4500 for tunnel!

kidseven112002
Level 1
Level 1

‎06-27-2017 03:45 AM - edited ‎02-21-2020 09:20 PM

Please help!! I am currently trying to install a C819G router that needs to build an IPSEC tunnel with a private IP. When I do a sh crypto IPSEC sa and do a debug it is automatically trying to build using port 500. I know it needs to be port 4500, but don't know how to force it to. There are no NAT list on my router as I am getting my IP via DHCP.

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎06-27-2017 03:55 AM

First thing you need to make sure is you have the following command :

crypto ipsec nat-transparency udp-encapsulation

Secondly, make sure the other router ahead of this device is doing one to one nat for this IP.
As long as crypto map is applied to correct interface, we should see correct UDP port.

If this does not help, can you please share complete debugs (do sanitize the IPs accordingly) where we see only UDP 500 communication?

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

kidseven112002
Level 1
Level 1
In response to Dinesh Moudgil

‎06-27-2017 07:31 AM

So I think it's something happening at our ISP blocking the traffic. I was running the sh crypto ipsec sa command, when I should have been doing the sh crypto ikev2 sa command. When doing the debug I see the traffic trying to pass, but doesn't look like the return traffic is making it. My distant end is seeing me hit their router, but my debug is showing the error as "IKEV2-ERROR:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached" and "IKEV2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed"...

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to kidseven112002

‎06-27-2017 08:35 AM

If you do see retransmission, then it could very well mean that we are trying to send the request but we are not getting any reply.

You might want to take Embedded Packet capture to see if you are really getting any response from remote side and if that is the case, then reach out to the ISP to confirm why would that be the case.

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

kidseven112002
Level 1
Level 1
In response to Dinesh Moudgil

‎06-28-2017 03:44 AM

Issue resolved. Our ISP, although allowing our traffic and the applicable ports, they had their FW in IPS mode and changed it to IDS. Once that was done the tunnel came up. Not sure why their FW in IPS didn't allow the tunnel to come up even though the rule was put in correctly. Anyway, the issue was found. Thank you for your assistance.

KC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents