cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4439
Views
0
Helpful
7
Replies

need to disable ipsec nat-t on router

yuhuiyao
Level 1
Level 1

All,

I will need to run ipsec in esp, what is the command to disable nat-t on a router? I have tried "no crypto ipsec nat-transparency udp-encaps" but still see packets in udp 4500.

Thanks,

7 Replies 7

Ivan Martinon
Level 7
Level 7

That command disables it, however it disables the fact that the router will reply back on udp 4500, if the remote party (peer or client) has this feature enabled and nat is found on the path then it will still receive those packets.

Thanks for your reply. I have both sides configured with "no crypto ipsec nat-transparency udp-encaps". Still seeing UDP 4500. There are two nat deivces in the path.

This command disables the feature, please get the output of the show crypto ipsec sa and the debug cry isakmp.

l.tating
Level 1
Level 1

Hi yuhuiyao,

I have similar intentions in my network. but when I tried in lab testing i still get IPSec packet encrypted and tunnel built up even i disabled ipsec nat-transparency on both routers. I tried to use different router model and still get IPSec packet encrypted. You can see my scenario in this simple network diagram:

Note: my ios 12.2 does not have nat-t support yet

Test 1:

R7(ios 12.2)--------------------(R3-nat device)-----------------------R8(ios 12.2)      Result: IPSec tunnel is established

Test 2: (typed no crypto ipsec nat-transparency udp-encaps on both IPSec ends)

R1(ios 12.4)--------------------(R7-nat device)-----------------------R3(ios 12.4)      Result: IPSec tunnel is established

Have you solved your problem already since March 2009?

Sincerely,

Lorenz

Hi Lorenz,

By tunnel established you mean IPSEC ESP tunnel or IPSEC NAT-T UDP 4500 tunnel?

Hi Ivan,

It is the IPSec ESP tunnel. I tried issuing the command "no crypto ipsec nat-transparency udp-encaps"
and "no crypto ipsec nat-transparency spi-matching" on both VPN endpoints.

I noticed however, that when the NAT device is changed to PAT, then the NAT-T feature begin to take part.

Is the NAT-T limited by PAT (interface overload) only?


Lorenz

Hi Ivan,

In my testing here are my findings:

Given the diagram:

R1(ipsec endpoint)(g0/0)--------------------R7(nat device)----------------------------R3(ipsec endpoint)

R7 translates R1's g0/0 IP address

1. Static NAT - dont care (this means when NAT-T is on, packet is udp-encapsulated, if not, then usual encaps)
2. Static PAT (overload) - working (means NAT-T must be configured on both tunnel endpoints for udp-encaps)
3. Dynamic NAT - not working (no tunnel. IKE Phase 1 fails negotiation)(see debug outputs)

Could you do a similar test on your end so we can prove this scenario?

Regards,

Lorenz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: