10-14-2007 05:48 PM - edited 02-21-2020 03:19 PM
wonder if someone can explain this:
LanA--Ra---CheckpointNGx_Fw---Rb--LanB
Both Ra and Rb is using version 12.2(15)T17
Ra ip address is 192.168.1.2 and
it is NATted by the checkpoint to be
129.174.1.2. Rb ip address is 129.174.1.3
IPSec is between Ra and Rb for LanA and LanB.
Straight forward IPSec between Ra and Rb,
no GRE whatsoever.
On the checkpoint firewall, I have static
NAT for Ra from 192.168.1.2 to 129.174.1.2
and I have rule on the firewall to allow
EVERYTHING through the firewall.
On the router, I explicitly put in the
following command:
crypto ipsec nat-transparency udp-encapsulation
The VPN between Ra and Rb is working and traffic
between Ra and Rb is working; however, tcpdump
on the checkpoint firewall reveals that the routers
are using ESP (proto 50) instead of NAT-T (udp/4500).
I thought that if the VPN device detects that
it is behind a NAT device, it will use nat-t
instead of ESP. Furthermore, the command
I put into the router should be enough
to tell the routers to use udp/4500.
I asked Cisco about this before but they have an
answer for me either.
10-19-2007 09:21 AM
Turning on this command turns on NAT-T on the router. Try a sniffer between router and the NAT-T device to check if NAT-T really works. Also make sure client supports it .
10-26-2007 07:43 AM
debug on routers doesn't tell me anything
I didn't already knew.
Any other advices? Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide