Re: lan-to-lan issue between VPN3000 and IOS with NAT-T

morgsizun · ‎08-29-2006

I configured a lan-to-lan between my concentrator and an IOS router .

Everything is OK when my partner establishes the connection but i'm unable to do it.

When I uncheck "IPSec over NAT-T" on my VPN3000 then i can establish the tunnel.

Any idea?

a.kiprawih · ‎08-31-2006

Hi,

Use NAT-T if you have PIX/ASA. Your setup is direct lan-to-lan from VPN3K to a router.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801f0f0c.shtml

Rgds,

AK

morgsizun · ‎09-04-2006

Thanks for your help,

but I need to keep NAT-T activate on my concentrator for other connections (lan-to-lan and client) and that's my problem (IPSec NAT-T is unchecked in my lan-to-lan configuration).

Regards,

Morgan

mustafa_nbk · ‎09-05-2006

Hi,

If you want to use NAT-T for other LAN-to-LAN & client and need to disable for specific this IOS LAN-to-LAN, then on other end of peer router use following command.

"no crypto ipsec nat-transparency udp-encapsulation".

So Now other end of the router will not use NAT-T, so both end will never agreed to use NAT-T and this tunnel will never use NAT-T.

Thanks,

Mustafa

morgsizun · ‎09-22-2006

Thanks Mustapha,

we tried to use the command:

"no crypto ipsec nat-transparency udp-encapsulation"

but nothing happenned (i think it was the 'by default config')

So we used the following command to come back:

"crypto ipsec nat-transparency udp-encapsulation"

and then i saw request on UDP 4500 and we were both unable to establish the tunnel.

It seems that the gateways cannot negotiate NAT-T!

Any Ideas?

Thanks,

Morgan