11-25-2012 11:31 PM - last edited on 06-02-2013 09:05 PM by Maiko-I
We have bunch of sites connected by IPSec tunnels between central Cisco 3800 and remote MSR-900
Everything is fine when remote site uses white IP. But when ISP provides grey one e.g. 192.168.1.200, we have problem transmitting traffic over IPSec.
By my opinion, problem is that NAT-T is not engaged during setup phase.
If MSR-900 replaced by Cisco861, IPSec tunnel establishes successfully with NAT-T enabled and traffic goes by.
There is no specific IPSec NAT-T config commands on MSR, so I presume it is enabled by default.
Here is IPSec related config on Cisco 3800 uses dynamic crypto map approach, as we don't know which public IP, Service Provider uses for outside NAT:
crypto ipsec transform-set office esp-des esp-md5-hmac
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
crypto dynamic-map DYNAMAP 5555 set security-association lifetime seconds 28800 set transform-set office set pfs group2 match address test-gsm reverse-route crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP crypto isakmp policy 3 hash md5 authentication pre-share group 2 lifetime 3600 ! ip access-list extended test-gsm permit ip any 10.109.51.96 0.0.0.31 interface GigabitEthernet0/1 description Outbound ip address X.X.158.20 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly max-fragments 64 ip policy route-map counters duplex auto speed auto media-type rj45 no cdp enable crypto map RETAIL max-reserved-bandwidth 90 end
acl number 3001 rule 0 permit ip source 10.109.51.96 0.0.0.31 ike proposal 1 dh group2 authentication-algorithm md5 sa duration 3600 ike peer 1 pre-shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXX remote-address XXX.XXX.158.20 ipsec proposal office # ipsec policy vpn 1 isakmp security acl 3001 pfs dh-group2 ike-peer 1 proposal office sa duration time-based 28800 interface Ethernet0/0 port link-mode route ip address dhcp-alloc ipsec policy vpn
ip address 10.109.51.126 255.255.255.255
Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.
Crypto SA on MSR, please notice that NAT-T is not negotiated:
<Remote-Site> displ ipsec sa =============================== Interface: Ethernet0/0 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "vpn" sequence number: 1 mode: isakmp ----------------------------- connection id: 3 encapsulation mode: tunnel perfect forward secrecy: DH group 2 tunnel: local address: 192.168.1.201 remote address: XX.XXX.158.20 flow: sour addr: 10.109.51.96/255.255.255.224 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP [inbound ESP SAs] spi: 3957060744 (0xebdbf488) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 ---- More ---- sa duration (kilobytes/sec): 1843200/28800 sa remaining duration (kilobytes/sec): 1843200/28420 max received sequence-number: 1 anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3564383543 (0xd4742d37) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 1843200/28800 sa remaining duration (kilobytes/sec): 1843199/28420 max received sequence-number: 5 udp encapsulation used for nat traversal: N <Remote-Site>displ ike sa total phase-1 SAs: 1 connection-id peer flag phase doi --------------------------------------------------
-------------- 5 XXX.XXX.158.20 RD|ST 1 IPSEC 6 XXX.XXX.158.20 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT <Remote-Site>
We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:
ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation Interface: GigabitEthernet0/1 Uptime: 00:00:51 Session status: UP-ACTIVE Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none) Phase1_id: 192.168.1.201 Desc: (none) IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active Capabilities:(none) connid:8976 lifetime:00:59:06 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.109.51.96/255.255.255.224 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748 Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748
Please suggest anything kindly.
Solved! Go to Solution.
11-26-2012 06:02 AM
Maybe You should try this:
# Enable the NAT traversal function for IKE peer peer1. <Sysname> system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal
11-26-2012 10:03 PM
Thank you for reply.
You right, I missed that in documentation, I should explicitly define NAT traversal for the peer.
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.
ike peer 1 nat traversal exchange-mode aggressive
Now it's working, thanks.