IPsec Using Private Addresses

lxcollin1 · ‎05-09-2006

Hello,

I have a router behind a firewall and I would like to setup a VPN to the router. The router uses only private 10.x space and I would like it to peer IPsec using its loopback IP. The firewall provides a static NAT for the router loopback. I have also opened UDP500 and UDP4500 for ISAKMP and NAT traversal. I can get phase I up, but Phase II cannot come up. It looks to be a problem with using private IP space as the peering source.

Can an IPSec VPN be setup on a router that uses only private IP space which is NATTed on a different device?

Thanks,

Lee

Richard Burts · ‎05-11-2006

Lee

I have not done quite the thing that you describe so I can not speak from experience. But from my understanding it should be possible. If NAT is done on the firewall (between the router and its peer) it should be transparent to the router. And if you can get phase 1 to work then I think this verifies that it should be possible.

If you get phase 1 but not phase 2 I would guess that the problem may be that the firewall is allowing ISAKMP but is not allowing ESP (and/or AH). Check and see if the IPSec protocols are allowed through the firewall and let us know.

HTH

Rick

HTH

Rick

federico_caminos · ‎05-12-2006

Hello Lee

In adition to the static you will have to modify your ACL on the outside (eventually on the inside interface too)

in order to permit esp and ah protocols , between remote ip and static outside ip.

Check PIX firewall config on this sample config

http://www.cisco.com/warp/public/707/ipsecnat.html

Hope this helps ... rate if it does!

Regards !