08-29-2006 07:05 AM
I configured a lan-to-lan between my concentrator and an IOS router .
Everything is OK when my partner establishes the connection but i'm unable to do it.
When I uncheck "IPSec over NAT-T" on my VPN3000 then i can establish the tunnel.
Any idea?
08-31-2006 08:17 PM
Hi,
Use NAT-T if you have PIX/ASA. Your setup is direct lan-to-lan from VPN3K to a router.
Rgds,
AK
09-04-2006 01:37 AM
Thanks for your help,
but I need to keep NAT-T activate on my concentrator for other connections (lan-to-lan and client) and that's my problem (IPSec NAT-T is unchecked in my lan-to-lan configuration).
Regards,
Morgan
09-05-2006 02:19 AM
Hi,
If you want to use NAT-T for other LAN-to-LAN & client and need to disable for specific this IOS LAN-to-LAN, then on other end of peer router use following command.
"no crypto ipsec nat-transparency udp-encapsulation".
So Now other end of the router will not use NAT-T, so both end will never agreed to use NAT-T and this tunnel will never use NAT-T.
Thanks,
Mustafa
09-22-2006 07:24 AM
Thanks Mustapha,
we tried to use the command:
"no crypto ipsec nat-transparency udp-encapsulation"
but nothing happenned (i think it was the 'by default config')
So we used the following command to come back:
"crypto ipsec nat-transparency udp-encapsulation"
and then i saw request on UDP 4500 and we were both unable to establish the tunnel.
It seems that the gateways cannot negotiate NAT-T!
Any Ideas?
Thanks,
Morgan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: