Thanks for the response. I am really hoping to get a better understanding of how this all works.

(My Router )--Private IP Network->(CTR500)---public--->(((INTERNET)))<---public---(VPN Router)<----public----(Company Network)

Here is my routers config with the crypto map off. With the crytpo map on I just remove the nat statements from the interfaces and add the crypto map aesmap statement to fa 0/0. I must do this because of my need to have dhcp and i get no dhcp with the crypto map on. Also you will see i changed my ip route from fa 0/0 to dhcp, is this the best way to have my IP route?

Current configuration : 1917 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Kit7
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XX.XX.XX.XX XX.XX.XX.XX

!
ip dhcp pool DHCP_KIT_7
   network XXX.XXX.XXX.XXX 255.255.255.240
   dns-server XXX.XXX.XX.XX 8.8.8.8
   default-router XXX.XXX.XXX.XXX   lease 3
!
!
no ip domain lookup
ip domain name XXXXXXX.XXX.XXXXX.XXXXX

ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
username ******* privilege 15 password 0 ********

username ******* privilege 15 password 0 ********

archive
log config
  hidekeys
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ********  address XXX.XXX.XX.XX

!
!
crypto ipsec transform-set AES-SET esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface Vlan1
ip address XX.XX.XX.XX 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended acl_vpn
permit ip any any
!
access-list 1 permit XXX.XX.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
password cisco
login
!
end

NAT- Transversal, I have tried to do some google searching but not much avail, can anyone point me to some documents that can help explain what it is and how it will work in my situation.

Kit7#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
XXX.XXX.XXX.XXX   192.168.0.196   MM_KEY_EXCH       1005    0 ACTIVE
XXX.XXX.XXX.XXX   192.168.0.196   MM_KEY_EXCH       1004    0 ACTIVE
XXX.XXX.XXX.XXX   192.168.0.196   MM_NO_STATE       1003    0 ACTIVE (deleted)
XXX.XXX.XXX.XXX   192.168.0.196   MM_NO_STATE       1002    0 ACTIVE (deleted)

Kit7#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: aesmap, local addr 192.168.0.196

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer XXX.XXX.XXX.XXX port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 349, #recv errors 0

     local crypto endpt.: 192.168.0.196, remote crypto endpt.: XXX.XXX.XXX.XXX
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Brandon,

Re NAT-T

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_nat_transp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1027186

Re. route:

Normally default gateway has a staic even if rc1918 IP. So pointing default route throuh that IP is best.

Your tunnels are stuck in MM KEY EXCHANGE - ie. mainmode 5 and mainmode 6 so no IPsec SPI will be up yet, it sill needs to finish IKE.

Two main things are done in MM5 and MM6.:

- floating to nat-traversal port (udp/4500)

- exchanging keys

Please check if cradle point passes udp/4500 and if keys match on both sides of the tunnel.

One thing I also did notice is that you nat everything.

ip nat inside source list 102 interface FastEthernet0/0 overload

access-list 102 permit ip any any

and also want everything to be sent through tunnel.

crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn

ip access-list extended acl_vpn
permit ip any any

That's sort of odd. Please remember that NAT is done before encryption so you will nat ALL your traffic before it gets to tunnel.

I have my doubts if the other side will accept any any as proxy ID... I would try to be as specific as I can.

Does cradlepoint have  public IP which is staticly assigned or also dynamic?

I would like to have a look at headend device too, I'm curious how it's configured.And look at debugs fro both sides:

- deb cry isa

- deb cry ipsec

Marcin

As far as NAT goes I turn it off when I turn my crypto map on. Everything works great when I have a public IP address such as from dsl or cable modem. The cradlepoint has a public IP dynamicly assigned (166.XX.XX.XX), and I have the address that it gives my router in the cradlepoints DMZ so I am assuming it should be passing all TCP and UDP traffic to my router to include UDP 4500? Also the cradlepoint has a Layer 7 service that handles IPSec traffic passthrough i think called AGL or something like that (I have tested with it turned on and off).  As I mentioned before my setup currently uses a Sonicwall TZ 100 for the router and it hooks up to the cradlepoint fine and builds a tunnel and works flowlessly. With that said we would really like to rebuild 10 of our kits to replace the sonicwall (and its gui interface) with cisco 3950 routers. So my thought proccess is that if the sonicwall can communicate with the VPN router which is a cisco 2800 series router that I should be able to switch it out with a cisco router and configure it to work just as well if not better then the Sonicwall as I now would have two cisco products talking to each other. I think right now my mind is stuck at that My traffic is leaveing my router with a source address of 192.168.0.1 and dest address of XXX.XX.XX.XX, the traffic get to the VPN router and can not come back to the private source address and it sounds like the NAT-T service that you informed me of is designed just for this reason? I want to thank you for taking time out of your day to communicate with me and provide me with some of your knowledge.

Marcin,

     I just wanted to post an update on here just in case anyone else was viewing and was having the same problem. The issue was with NAT-T and the fix was to simply add the following statement "crypto ipsec nat-transparency spi-matching". By default the "crypto ipsec nat-transparency udp-encapsulation" is the only NAT-T command enabled. All my test so far was with my cisco router added to the DMZ of the device performing NAT. Again, Thanks!

Brandon