MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work (1969 Views)
Reply
Collector
telelvis
Posts: 2
Registered: ‎11-25-2012
Message 1 of 3 (1,969 Views)
Accepted Solution

MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

[ Edited ]

Hello,

 

We have bunch of sites connected by IPSec tunnels between central Cisco 3800 and remote MSR-900

Everything is fine when remote site uses white IP. But when ISP provides grey one e.g. 192.168.1.200, we have problem transmitting traffic over IPSec.

By my opinion, problem is that NAT-T is not engaged during setup phase.

If MSR-900 replaced by Cisco861, IPSec tunnel establishes successfully with NAT-T enabled and traffic goes by.

There is no specific IPSec NAT-T config commands on MSR, so I presume it is enabled by default.

 

Here is IPSec related config on Cisco 3800 uses dynamic crypto map approach, as we don't know which public IP, Service Provider uses for outside NAT:

crypto ipsec transform-set office esp-des esp-md5-hmac

crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
crypto dynamic-map DYNAMAP 5555 set security-association lifetime seconds 28800 set transform-set office set pfs group2 match address test-gsm reverse-route crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP crypto isakmp policy 3 hash md5 authentication pre-share group 2 lifetime 3600 ! ip access-list extended test-gsm permit ip any 10.109.51.96 0.0.0.31 interface GigabitEthernet0/1 description Outbound ip address X.X.158.20 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly max-fragments 64 ip policy route-map counters duplex auto speed auto media-type rj45 no cdp enable crypto map RETAIL max-reserved-bandwidth 90 end

 MSR-900 config:

acl number 3001
 rule 0 permit ip source 10.109.51.96 0.0.0.31

ike proposal 1
 dh group2
 authentication-algorithm md5
 sa duration 3600

ike peer 1
 pre-shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 remote-address XXX.XXX.158.20

ipsec proposal office
#
ipsec policy vpn 1 isakmp
 security acl 3001
 pfs dh-group2
 ike-peer 1
 proposal office
 sa duration time-based 28800

interface Ethernet0/0
 port link-mode route
 ip address dhcp-alloc
 ipsec policy vpn

interface Loopback0
ip address 10.109.51.126 255.255.255.255

 

Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.

 

Crypto SA on MSR, please notice that NAT-T is not negotiated:

<Remote-Site> displ ipsec sa
===============================
Interface: Ethernet0/0
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "vpn"
  sequence number: 1
  mode: isakmp
  -----------------------------
    connection id: 3
    encapsulation mode: tunnel
    perfect forward secrecy: DH group 2
    tunnel:
        local  address: 192.168.1.201
        remote address: XX.XXX.158.20
    flow:
        sour addr: 10.109.51.96/255.255.255.224  port: 0  protocol: IP
        dest addr: 0.0.0.0/0.0.0.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 3957060744 (0xebdbf488)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
  ---- More ----
                
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843200/28420
      max received sequence-number: 1
      anti-replay check enable: Y
      anti-replay window size: 32
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3564383543 (0xd4742d37)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843199/28420
      max received sequence-number: 5
      udp encapsulation used for nat traversal: N
<Remote-Site>displ ike sa
    total phase-1 SAs:  1
    connection-id  peer            flag        phase   doi
  ----------------------------------------------------------------
     5             XXX.XXX.158.20   RD|ST         1     IPSEC
     6             XXX.XXX.158.20   RD|ST         2     IPSEC

  flag meaning
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<Remote-Site>

 

 

We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:

 

ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/1
Uptime: 00:00:51
Session status: UP-ACTIVE     
Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none)
      Phase1_id: 192.168.1.201
      Desc: (none)
  IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active 
          Capabilities:(none) connid:8976 lifetime:00:59:06
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.109.51.96/255.255.255.224 
        Active SAs: 2, origin: dynamic crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748

Please suggest anything kindly.

Thanks!

 

 

 

 

Please use plain text.
Advisor
MarJ
Posts: 11
Registered: ‎12-17-2011
Message 2 of 3 (1,948 Views)

Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Maybe You should try this:

 

# Enable the NAT traversal function for IKE peer peer1. 

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] nat traversal
Please use plain text.
Collector
telelvis
Posts: 2
Registered: ‎11-25-2012
Message 3 of 3 (1,938 Views)

Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Hello, Marj

 

Thank you for reply.

 

You right, I missed that in documentation, I should explicitly define NAT traversal for the peer.
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.

 

ike peer 1
 nat traversal
 exchange-mode aggressive

Now it's working, thanks.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation