I'm having trouble making NAT-T connections from a 4.8 client behind a Checkpoint FW-1 to any PIXes, ASAs, or 3000 series concentrators on the Internet.
The IKE SA comes up fine, NAT detection and NAT-T negotiation works fine (the IKE SA is moved to udp/4500) and it even appears that the ESP/NAT-T SA is negotiated properly; IKE mode config configures my client IP address and DNS servers, the virtual adapter is activated, etc. However, as soon as I attempt to pass any traffic over the SA, I get the following messages in the client's log:
I get a pair of these for every packet I attempt to pass over the tunnel.
Does anyone have any idea what that second error message even means? I can't find it documented anywhere.
If I sniff traffic on the Ethernet interface of the local client, I don't see it even attempting to send any ESP/NAT-T traffic to the remote VPN server; all I see are occasional IKE Informational messages with the Non-ESP marker exchanged between the client and server, and eventually, the server stops responding and the connection is dropped (i.e. the SAs are deleted by the client).
I'm sure it has something to do with the FW-1 munging something in the IKE NAT-T packets so that the client won't even attempt to send the traffic, but I need to be able to explain the problem to the people that manage the firewall in excruciating detail, and I don't understand it myself at this point. Thanks for any help in advance.
Follow-up question: Is there anywhere on Cisco's website I can look up the VPN Client Event Log error messages and what they really mean? The User Guide indicates that the last part of each event log entry is EventClass/MessageID (e.g. IPSEC/0xA3700016 in the second log entry quoted in my post), but I haven't found a reference for these anywhere.
Update: I opened a case with TAC to troubleshoot this and found that the client is, in fact, transmitting ESP/NAT-T traffic to the VPN server (PIX). I was attempting to sniff the traffic from the client itself, and apparently a driver was hiding the ESP/NAT-T packets from the packet filter. I redid the sniff from another PC plugged into the same hub as the VPN client and was able to see the ESP/NAT-T traffic, and encaps/decaps counters increase on ESP SA on the PIX end.
The problem, as it turns out, is that the NAT/PAT process on the Checkpoint firewall is not properly translating the UDP destination port on the return packets (i.e. it's not getting translated back from a high port to UDP/4500). That's what the error message "IPSec over UDP port incorrect" indicates; that the ESP/NAT-T traffic from the remote VPN server is being sent to a port other than UDP/4500 on the VPN client. This is especially weird, since it only happens for the ESP/NAT-T traffic, and NAT is performed properly for the IKE/NAT-T traffic.
Anyway, the case is still open, but it's most likely a bug in the Firewall-1 NAT code, IMO.
Private e-mail from another reader of this forum confirms that this is probably a bug in the Firewall-1 NAT/PAT code. He has a ticket open with Checkpoint for the exact same problem; I'll post back when he hears back from Checkpoint.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :