Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Nat through IPSEC site-to-site VPN problem

I'm having a little bit of a problem getting a site-to-site VPN established using NAT through the tunnel, so maybe someone would be able to help me out.

The internal network behind my firewall needs to be hidden since the other company is already using a network address the same as our internal network address. When the other company issues a ping from their network to our network (the network that we configured to hide our actual internal network), the VPN tunnel gets established and they are able to receive replies to the ping. However, when we try to ping the other company's network from ours, the debug messages show that the VPN peer is added but then deleted and the ping is unsuccessful. I posted the relevant part of the config on our end and the debugging messages. All the ipsec parameters are in match on both ends. Any help would be appreciated. Thanks.

Our real internal - 192.168.2.0

Their internal - 172.29.0.0

Network for hiding real internal - 192.168.81.0

Conig

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list OTHER_COMPANY permit ip 192.168.81.0 255.255.255.0 172.29.0.0 255.255.0.0

access-list PRINTER1 permit ip host 192.168.2.240 172.29.0.0 255.255.0.0

access-list PRINTER2 permit ip host 192.168.2.12 172.29.0.0 255.255.0.0

access-list OTHER_COMPANY-NAT permit ip 192.168.2.0 255.255.255.0 172.29.0.0 255.255.0.0

.

.

global (outside) 2 interface

global (outside) 1 192.168.81.100

nat (inside) 0 access-list VPN

nat (inside) 1 access-list OTHER_COMPANY-NAT 0 0

nat (inside) 2 192.168.2.0 255.255.255.0 0 0

static (inside,outside) 192.168.81.240 access-list PRINTER1 0 0

static (inside,outside) 192.168.81.12 access-list PRINTER2 0 0

.

.

.

sysopt connection permit-ipsec

crypto ipsec transform-set STRONG-DES esp-3des esp-sha-hmac

crypto dynamic-map CISCO 4 set transform-set STRONG-DES

crypto map partner-map 15 ipsec-isakmp

crypto map partner-map 15 match address OTHER_COMPANY

crypto map partner-map 15 set peer {OTHER_COMPANY PUBLIC IP}

crypto map partner-map 15 set transform-set STRONG-DES

crypto map partner-map 15 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map partner-map 50 ipsec-isakmp dynamic CISCO

crypto map partner-map client authentication IASAUTH

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address {OTHER_COMPANY PUBLIC IP} netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

2 REPLIES
New Member

Re: Nat through IPSEC site-to-site VPN problem

Debugging

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match HIS hash

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 495671930:1d8b5a7aIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xc399bd41(3281632577) for SA

from {THEIR PUBLIC IP} to {OUR PUBLIC IP} for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:{THEIR PUBLIC IP}/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:{THEIR PUBLIC IP}/500 Ref cnt incremented to:1 Total VPN Peers:2

crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP}4 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 2413798605

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:{THEIR PUBLIC IP}, dest:{OUR PUBLIC IP} spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 1208134764, spi size = 16

ISAKMP (0): deleting SA: src {OUR PUBLIC IP}, dst {THEIR PUBLIC IP}

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xadf26c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:{THEIR PUBLIC IP}/500 Ref cnt decremented to:0 Total VPN Peers:2

VPN Peer: ISAKMP: Deleted peer: ip:{THEIR PUBLIC IP}/500 Total VPN peers:1IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with {THEIR PUBLIC IP}

New Member

Re: Nat through IPSEC site-to-site VPN problem

Nevermind I figured out my problem. The access-lists were not completely the opposite than what they had configured on their end.

155
Views
0
Helpful
2
Replies
CreatePlease to create content