Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC VPN behind Nat

Hello All,

Not my strong area and in need of a little advice.  I have 2 sites with DSL internet services.  This is what I have

SITE1-Cisco881 Vlan4 (192.168.10.1)------ (192.168.10.254) NAT(BT Homehub) static IP--------¦internet¦----------static IP/ATM0-Dialer/Cisco877- SITE2

Basically I need to build an IPSEC VPN between the 881 and 877.    I had an 887 at Site 1 with a DSL connection and was able to build the IPSEC tunnel ok, but the client demands that the BThomehub be present as demarcation of fault so I'm forced to Nat the tunnel through to the 881.  The tunnel wont come up, but works fine when Cisco to Cisco.

I believe I have the right ports forwarded on the BT hub but it appears as though the 881 is rejecting the proposal because of the NAT.  What am I missing?

Thanks in advance

Dave

debug crypto isakmp error and debug crypto ipsec err

877 Site2(config)#

*Jan 12 00:52:14.485: map_db_find_best did not find matching map

*Jan 12 00:52:14.485: IPSEC(ipsec_process_proposal): proxy identities not supported

*Jan 12 00:52:14.485: ISAKMP:(2516): IPSec policy invalidated proposal with error 32

*Jan 12 00:52:14.485: ISAKMP:(2516): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

*Jan 12 00:52:14.485: ISAKMP:(2516):deleting node -1658498082 error TRUE reason "QM re

*Jan 12 00:52:23.837: ISAKMP:(2515):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer y.y.y.y)

*Jan 12 00:52:23.837: ISAKMP:(2515):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer y.y.y.y)

*Jan 12 00:54:41.509: ISAKMP:(2519):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer y.y.y.y)

BT Home Hub port forwarding:

NAT public IP to 192.168.10.1

- udp port 500

- ESP 50

881 config

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key aaaaaaa address 0.0.0.0

!

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

!

!

crypto ipsec profile encrypt-tunnel

set transform-set vpnset

!

!

bridge irb

!

!

!

!

interface Tunnel0

ip address 192.168.255.14 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Vlan4

tunnel destination x.x.x.x (site 2 static public IP)

tunnel path-mtu-discovery

tunnel protection ipsec profile encrypt-tunnel

877 config

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key aaaaaaa address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

!

crypto ipsec profile encrypt-tunnel

set transform-set vpnset

!

!

archive

log config

  hidekeys

!

!

!

bridge irb

!

!

interface Tunnel0

description vpn link to Main House

ip address 192.168.255.13 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Dialer0

tunnel destination y.y.y.y (Site 1 Public IP)

tunnel path-mtu-discovery

tunnel protection ipsec profile encrypt-tunnel

I've been looking into the debugs and I see the following when debugging the sa.  Looks like the fact that the 881 internal ip 192.168.10.1 is causing a problem with the verificaition of the encryption negotiation.

HPG_Router#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.10.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 96, #recv errors 0

     local crypto endpt.: 192.168.10.1, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:.

Everyone's tags (4)
1 REPLY
Cisco Employee

IPSEC VPN behind Nat

Hi David,

If the IPSEC device is behind nat then udp port 4500 needs to be forwarded as well for NAT-Traversal.

Dan

6047
Views
0
Helpful
1
Replies