IPsec VPN behind a NAT devices
Thanks but just resolved the problem. Thus i deleted my posting.
Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
here is the cisco url link where u can find further information about it:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
I m gonna test those 2 options
I still don t know how to push acl with easy vpn client and remote mode.
thank you for your advices
regards,
alex
regards,
alex
Similar Messages
-
I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it. -
IPSec on routers behind a nat device
Hi all,
I have a very simple setup. I have 3 routers as shown below. ISP is translating R1's interface IP from 10.1.1.1 to 10.1.3.1
R1--Fas0/0-----------------------------------Fas0/0---ISP---Fas0/1------------------------------Fas0/1----R2
R1:
int fas0/0
ip add 10.1.1.1 255.255.255.0
ISP
int fas0/0
ip add 10.1.1.2 255.255.255.0
ip nat inside
int fas0/1
ip add 10.1.2.2 255.255.255.0
ip nat outside
ip nat inside source static 10.1.1.1 10.1.3.1
R2
int fas0/1
ip add 10.1.2.1 255.255.255.0
As you can see, ISP is translating R1 10.1.1.1 <-> 10.1.3.1. If i want to configure IPsec between R1 and R2, what shall i configure ?This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
I have configured 2 loopback. on R1: 100.1.1.1
on R2: 200.1.1.1
R1:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.1.1
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.0.2
R2:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Now when i ping from R1:
ping 200.1.1.1 source 100.1.1.1
its not successful. Why doesnt it work any idea ? -
Site to SIte VPN through a NAT device
I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
VPN router A(192.168.248.253)---Company internal network----Fortigate FW-----internet----(217.155.113.179)VPN router B
Now the fortigate FW is doing some address translations
- traffic from 192.168.248.253 to 217.155.113.179 has its source translated to 37.205.62.5
- traffic from 217.155.113.179 to 37.205.62.5 has its destination translated to 192.168.248.253
- The firewall rules allow any traffic between the 2 devices, no port lockdown enabled.
- The 37.205.62.5 address is used by nothing else.
I basically have a GRE tunnel between the two routers and i am trying to encrypt it.
Router A is showing the below
SERVER-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 217.155.113.179
Extended IP access list 101
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
Current peer: 217.155.113.179
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
SERVER-RTR#show crypto sessio
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 217.155.113.179 port 500
IPSEC FLOW: permit 47 host 192.168.248.253 host 217.155.113.179
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
Router B is showing the below
BSU-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 37.205.62.5
Extended IP access list 101
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5
Current peer: 37.205.62.5
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
BSU-RTR#show crypto sess
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 37.205.62.5 port 500
IPSEC FLOW: permit 47 host 217.155.113.179 host 37.205.62.5
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
I can see the counters incrementing over the ACL on both routers so i know GRE traffic is interesting.
Here are some debugs too
Router A
debug crypto isakmp
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 940426884
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 1837874301
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node -475409474
*Mar 2 23:07:20.794: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (N) NEW SA
*Mar 2 23:07:20.794: ISAKMP: Created a peer struct for 217.155.113.179, peer port 500
*Mar 2 23:07:20.794: ISAKMP: New peer created peer = 0x64960C04 peer_handle = 0x80000F0E
*Mar 2 23:07:20.794: ISAKMP: Locking peer struct 0x64960C04, refcount 1 for crypto_isakmp_process_block
*Mar 2 23:07:20.794: ISAKMP: local port 500, remote port 500
*Mar 2 23:07:20.794: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6464D3F0
*Mar 2 23:07:20.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.794: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 2 23:07:20.794: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 23:07:20.794: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.798: ISAKMP:(0): local preshared key found
*Mar 2 23:07:20.798: ISAKMP : Scanning profiles for xauth ...
*Mar 2 23:07:20.798: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 2 23:07:20.798: ISAKMP: encryption DES-CBC
*Mar 2 23:07:20.798: ISAKMP: hash SHA
*Mar 2 23:07:20.798: ISAKMP: default group 1
*Mar 2 23:07:20.798: ISAKMP: auth pre-share
*Mar 2 23:07:20.798: ISAKMP: life type in seconds
*Mar 2 23:07:20.798: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 2 23:07:20.798: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 2 23:07:20.798: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 2 23:07:20.798: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.798: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 2 23:07:20.802: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 2 23:07:20.802: ISAKMP:(0): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 2 23:07:20.802: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.802: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.802: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 2 23:07:20.822: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 2 23:07:20.822: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.822: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 2 23:07:20.822: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 23:07:20.850: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 2 23:07:20.854: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is Unity
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is DPD
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): speaking to another IOS box!
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP (0:1027): NAT found, the node inside NAT
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.854: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 2 23:07:20.854: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.854: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.858: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.858: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 2 23:07:20.898: ISAKMP:(1024):purging SA., sa=64D5723C, delme=64D5723C
*Mar 2 23:07:20.902: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 2 23:07:20.902: ISAKMP:(1027): processing ID payload. message ID = 0
*Mar 2 23:07:20.902: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.902: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 23:07:20.906: ISAKMP:(1027): processing HASH payload. message ID = 0
*Mar 2 23:07:20.906: ISAKMP:(1027): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027):SA has been authenticated with 217.155.113.179
*Mar 2 23:07:20.906: ISAKMP:(1027):Detected port floating to port = 4500
*Mar 2 23:07:20.906: ISAKMP: Trying to find existing peer 192.168.248.253/217.155.113.179/4500/ and found existing peer 648EAD00 to reuse, free 64960C04
*Mar 2 23:07:20.906: ISAKMP: Unlocking peer struct 0x64960C04 Reuse existing peer, count 0
*Mar 2 23:07:20.906: ISAKMP: Deleting peer node by peer_reap for 217.155.113.179: 64960C04
*Mar 2 23:07:20.906: ISAKMP: Locking peer struct 0x648EAD00, refcount 2 for Reuse existing peer
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.248.253 remote 217.155.113.179 remote port 4500
*Mar 2 23:07:20.906: ISAKMP:(1026):received initial contact, deleting SA
*Mar 2 23:07:20.906: ISAKMP:(1026):peer does not do paranoid keepalives.
*Mar 2 23:07:20.906: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.906: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Mar 2 23:07:20.906: ISAKMP:(1027):Setting UDP ENC peer struct 0x0 sa= 0x6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.906: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 2 23:07:20.910: ISAKMP: set new node -98987637 to QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.910: ISAKMP:(1026):purging node -98987637
*Mar 2 23:07:20.910: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 2 23:07:20.910: ISAKMP:(1026):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 2 23:07:20.910: ISAKMP:(1027):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 2 23:07:20.910: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.910: ISAKMP:(1027):Total payload length: 12
*Mar 2 23:07:20.914: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.914: ISAKMP: Unlocking peer struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node 334747020 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -1580729900 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -893929227 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.930: ISAKMP (0:1026): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_NO_STATE
*Mar 2 23:07:20.934: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:20.934: ISAKMP: set new node 1860263019 to QM_IDLE
*Mar 2 23:07:20.934: ISAKMP:(1027): processing HASH payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027): processing SA payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027):Checking IPSec proposal 1
*Mar 2 23:07:20.934: ISAKMP: transform 1, ESP_AES
*Mar 2 23:07:20.934: ISAKMP: attributes in transform:
*Mar 2 23:07:20.934: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 2 23:07:20.934: ISAKMP: SA life type in seconds
*Mar 2 23:07:20.934: ISAKMP: SA life duration (basic) of 3600
*Mar 2 23:07:20.934: ISAKMP: SA life type in kilobytes
*Mar 2 23:07:20.934: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 2 23:07:20.934: ISAKMP: key length is 128
*Mar 2 23:07:20.934: ISAKMP:(1027):atts are acceptable.
*Mar 2 23:07:20.934: ISAKMP:(1027): IPSec policy invalidated proposal with error 32
*Mar 2 23:07:20.934: ISAKMP:(1027): phase 2 SA policy not acceptable! (local 192.168.248.253 remote 217.155.113.179)
*Mar 2 23:07:20.938: ISAKMP: set new node 1961554007 to QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1688526152, message ID = 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.938: ISAKMP:(1027):purging node 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027):deleting node 1860263019 error TRUE reason "QM rejected"
*Mar 2 23:07:20.938: ISAKMP:(1027):Node 1860263019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 23:07:20.938: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 2 23:07:24.510: ISAKMP: set new node 0 to QM_IDLE
*Mar 2 23:07:24.510: SA has outstanding requests (local 100.100.213.56 port 4500, remote 100.100.213.84 port 4500)
*Mar 2 23:07:24.510: ISAKMP:(1027): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 2 23:07:24.510: ISAKMP:(1027):beginning Quick Mode exchange, M-ID of 670698820
*Mar 2 23:07:24.510: ISAKMP:(1027):QM Initiator gets spi
*Mar 2 23:07:24.510: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:24.510: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:24.514: ISAKMP:(1027):Node 670698820, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 2 23:07:24.514: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 2 23:07:24.530: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:24.534: ISAKMP: set new node 1318257670 to QM_IDLE
*Mar 2 23:07:24.534: ISAKMP:(1027): processing HASH payload. message ID = 1318257670
*Mar 2 23:07:24.534: ISAKMP:(1027): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3268378219, message ID = 1318257670, sa = 6464D3F0
*Mar 2 23:07:24.534: ISAKMP:(1027): deleting spi 3268378219 message ID = 670698820
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 670698820 error TRUE reason "Delete Larval"
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 1318257670 error FALSE reason "Informational (in) state 1"
*Mar 2 23:07:24.534: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 2 23:07:24.534: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -238086324
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -1899972726
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -321906720
Router B
debug crypto isakmp
1d23h: ISAKMP:(0): SA request profile is (NULL)
1d23h: ISAKMP: Created a peer struct for 37.205.62.5, peer port 500
1d23h: ISAKMP: New peer created peer = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: Locking peer struct 0x652C3B54, refcount 1 for isakmp_initiator
1d23h: ISAKMP: local port 500, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 652CBDC4
1d23h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-07 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-03 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-02 ID
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
1d23h: ISAKMP:(0): beginning Main Mode exchange
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_NO_STATE
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
1d23h: ISAKMP:(0): processing SA payload. message ID = 0
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): local preshared key found
1d23h: ISAKMP : Scanning profiles for xauth ...
1d23h: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
1d23h: ISAKMP: encryption DES-CBC
1d23h: ISAKMP: hash SHA
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: auth pre-share
1d23h: ISAKMP: life type in seconds
1d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1d23h: ISAKMP:(0):atts are acceptable. Next payload is 0
1d23h: ISAKMP:(0):Acceptable atts:actual life: 0
1d23h: ISAKMP:(0):Acceptable atts:life: 0
1d23h: ISAKMP:(0):Fill atts in sa vpi_length:4
1d23h: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
1d23h: ISAKMP:(0):Returning Actual lifetime: 86400
1d23h: ISAKMP:(0)::Started lifetime timer: 86400.
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
1d23h: ISAKMP:(0): processing KE payload. message ID = 0
1d23h: ISAKMP:(0): processing NONCE payload. message ID = 0
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is Unity
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is DPD
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): speaking to another IOS box!
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM4
1d23h: ISAKMP:(1034):Send initial contact
1d23h: ISAKMP:(1034):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(1034):Total payload length: 12
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM5
1d23h: ISAKMP:(1031):purging SA., sa=652D60C8, delme=652D60C8
1d23h: ISAKMP (0:1033): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 33481563 to QM_IDLE
1d23h: ISAKMP:(1033): processing HASH payload. message ID = 33481563
1d23h: ISAKMP:received payload type 18
1d23h: ISAKMP:(1033):Processing delete with reason payload
1d23h: ISAKMP:(1033):delete doi = 1
1d23h: ISAKMP:(1033):delete protocol id = 1
1d23h: ISAKMP:(1033):delete spi_size = 16
1d23h: ISAKMP:(1033):delete num spis = 1
1d23h: ISAKMP:(1033):delete_reason = 11
1d23h: ISAKMP:(1033): processing DELETE_WITH_REASON payload, message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP:(1033):peer does not do paranoid keepalives.
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP: set new node 1618266182 to QM_IDLE
1d23h: ISAKMP:(1033): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1033):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1033):purging node 1618266182
1d23h: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034): processing ID payload. message ID = 0
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(0):: peer matches *none* of the profiles
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 0
1d23h: ISAKMP:(1034):SA authentication status:
authenticated
1d23h: ISAKMP:(1034):SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: Trying to insert a peer 217.155.113.179/37.205.62.5/4500/, and found existing one 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking peer struct 0x652C3B54 Reuse existing peer, count 0
1d23h: ISAKMP: Deleting peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: Locking peer struct 0x643BCA10, refcount 2 for Reuse existing peer
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_I_MM5 New State = IKE_I_MM6
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
1d23h: ISAKMP: Unlocking peer struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP:(1033):deleting node 1267924911 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 1074093103 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node -183194519 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1033):Old State = IKE_DEST_SA New State = IKE_DEST_SA
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_I_MM6
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
1d23h: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 1297417008
1d23h: ISAKMP:(1034):QM Initiator gets spi
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Node 1297417008, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node -874376893 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = -874376893
1d23h: ISAKMP:(1034): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 56853244, message ID = -874376893, sa = 652CBDC4
1d23h: ISAKMP:(1034): deleting spi 56853244 message ID = 1297417008
1d23h: ISAKMP:(1034):deleting node 1297417008 error TRUE reason "Delete Larval"
1d23h: ISAKMP:(1034):deleting node -874376893 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 439453045 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 439453045
1d23h: ISAKMP:(1034): processing SA payload. message ID = 439453045
1d23h: ISAKMP:(1034):Checking IPSec proposal 1
1d23h: ISAKMP: transform 1, ESP_AES
1d23h: ISAKMP: attributes in transform:
1d23h: ISAKMP: encaps is 3 (Tunnel-UDP)
1d23h: ISAKMP: SA life type in seconds
1d23h: ISAKMP: SA life duration (basic) of 3600
1d23h: ISAKMP: SA life type in kilobytes
1d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP:(1034):atts are acceptable.
1d23h: ISAKMP:(1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP:(1034): phase 2 SA policy not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: set new node 1494356901 to QM_IDLE
1d23h: ISAKMP:(1034):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1687353736, message ID = 1494356901
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):purging node 1494356901
1d23h: ISAKMP:(1034):deleting node 439453045 error TRUE reason "QM rejected"
1d23h: ISAKMP:(1034):Node 439453045, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_READY
1d23h: ISAKMP:(1032):purging node 1513722556
1d23h: ISAKMP:(1032):purging node -643121396
1d23h: ISAKMP:(1032):purging node 1350014243
1d23h: ISAKMP:(1032):purging node 83247347Hi Lei , here are the 2 configs for the VPN routers. Hope it sheds some light.
Just to add i have removed the crypto map from the fa0/1 interfaces on both routers just so i can continue my work with the GRE tunnel.
Router A
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SERVER-RTR
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$RihE$Po9HPkuvEHaspaD5ZC72m0
no aaa new-model
memory-size iomem 20
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 217.155.113.179
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 217.155.113.179
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 100000
ip address 10.208.200.1 255.255.255.0
ip mtu 1400
ip pim dense-mode
ip route-cache flow
tunnel source FastEthernet0/1
tunnel destination 217.155.113.179
interface FastEthernet0/0
ip address 10.208.1.10 255.255.224.0
ip pim state-refresh origination-interval 30
ip pim dense-mode
ip route-cache flow
ip igmp version 1
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.248.253 255.255.254.0
ip nbar protocol-discovery
ip route-cache flow
load-interval 60
duplex auto
speed auto
router eigrp 1
auto-summary
router ospf 1
log-adjacency-changes
network 10.208.0.0 0.0.31.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.1.1
ip route 217.155.113.179 255.255.255.255 192.168.248.1
ip flow-export version 5
ip flow-export destination 192.168.249.198 9996
no ip http server
no ip http secure-server
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
ROuter B
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname BSU-RTR
boot-start-marker
boot-end-marker
enable secret 5 $1$VABE$6r6dayC90o52Gb8iZZgNP/
no aaa new-model
memory-size iomem 25
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 37.205.62.5
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 37.205.62.5
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 20000
ip address 10.208.200.2 255.255.255.0
ip mtu 1400
ip pim dense-mode
tunnel source FastEthernet0/1
tunnel destination 37.205.62.5
interface FastEthernet0/0
ip address 10.208.102.1 255.255.255.0
ip helper-address 10.208.2.31
ip pim dense-mode
duplex auto
speed auto
interface FastEthernet0/1
ip address 217.155.113.179 255.255.255.248
ip nbar protocol-discovery
load-interval 60
duplex auto
speed auto
router ospf 1
log-adjacency-changes
network 10.208.102.0 0.0.0.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.200.1
ip route 37.205.62.5 255.255.255.255 217.155.113.182
no ip http server
no ip http secure-server
ip pim bidir-enable
ip mroute 10.208.0.0 255.255.224.0 Tunnel0
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5 -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
DirectAccess 2012 behind two NATs
Hi Guys
I am trying to setup a DirectAccess 2012 server with single NIC on a VM as below
basically if I get a public IP NAT'd with port 443 via main firewall to a private IP (10.20.1.1 /16) and then if I get this private IP again NAT'd via another firewall with port 443 to the DirectAccess server IP (192.168.2.2/18), will this setup work as
I will have to do this due to the current network topology at our business ?
thank you in advance.Hi,
It is supported. In Windows Server 2012, direct access server can be deployed behind a NAT device with support for only one single network interface and removes the public IPv4 address prerequisite.
For detailed information, please refer to the link below,
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
Best Regards.
Steven Lee
TechNet Community Support -
I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
the schema is like this:
LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
(see the attached file)
regards
marianoChris
We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
If so, yes absolutely you can do this as i have done it many times in production environments.
No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
Jon -
VPN between 2 cisco 1841 behind NAT Device
Hello,
i have to configure 2 Routers 1841 for an IPSEC VPN. My Problem is, that on the Path between the Router is a NAT Device.
On the HUB Router i can see the NAT IP Address but the Router expects the Source IP from the Spoke.
Can anybody tell me what is the Problem?
Thanks in advance
LorenzCan you create a static NAT on your NAT device for your spoke VPN router and then use the NATed address on your peer IPSEC/ISAKMP statements on your HUB router.
Rgds
Paddy -
IPSec VPN with VTI behind DSL router
Hi All,
Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
Router gi0/1 --> DSL Modem --> Internet --> to HQ (Firewall with static IP)
Outside 192.168.1.2 WAN static public IP
LAN 192.168.1.1
Interface config:
interface GigabitEthernet0/1
ip vrf forwarding Internet-VRF
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
Tunnel config:
crypto isakmp policy 282
encr aes 256
authentication pre-share
group 2
lifetime 28800
hash sha
crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set aes256-sha
set pfs group2
interface Tunnel1
ip vrf forwarding Internet-VRF
ip address 172.27.82.254 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source Gi0/1
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile VPN
I have been digging into Cisco documentation but have no answer found.
Thanks in advance.Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?
-
How to nat subnets before establishing site to site ipsec vpn tunnel?
Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me. -
DMVPN Hub and Spoke behind NAT device
Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile ciscoHi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT." -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
This maybe stupid but may somebody help on this.
Site A --- Internet --- Site B
An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
May someone advise me how to overcome this? Thanks.Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.
-
9.0 can a dynamic nat be used over ipsec vpn?
9.0 can a dynamic nat be used over ipsec vpn?
we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL.
we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same.
Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn.
So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code.
ThanksI didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time.
Yes it seems that you need the nat ip like always. Should have just went with my gut on that.
Thanks -
Allowing access to a OS X 10.4 IPSEC VPN Server behind an Airport Extreme?
We have an OS X 10.4 server running the IPSEC VPN service and want to be able to connect to it from the Internet. We use an Aiport Extreme N for internet access. What do I need to enable in port mapping to allow us to connect?
We have an OS X 10.4 server running the IPSEC VPN service and want to be able to connect to it from the Internet. We use an Aiport Extreme N for internet access. What do I need to enable in port mapping to allow us to connect?
Maybe you are looking for
-
Help! I need to import OLD e-mails from my AOL mail...
Well, I've tried on my own, but it's time to seek out a higher power... I have old e-mails from AOL 2.7 and 3.0 that I saved on my computer. I just downloaded AOL 5.0 (in Classic) as well as AOL for OS X, and I can open these messages up individually
-
Rented Movie won't sync. "cant read or write to disk"
I rented a movie, tried to movie it to my touch, and about 1/3 of the way thru, it says it cannot copy to the iPod, the disk could not be read from or written to" What. The. Heck. Why would it do that? anyone?
-
Dear pandits, I wish to make certain changes in delivery address in purchase order. Pincode should come after city name. Counrty name is depicting as Repubic of India, I do not know from where it is picking up. Telephone No.given in the communication
-
Encoder to Server URL for streaming video??
I am trying to encode and stream live video. I have downloaded both the Flash Media Encoder and Flash Media Server. To complete the process of streaming video, it appears that I need to obtain a "server URL address" which is called "RTMP" on the enco
-
Each time I click on "Librairy" to begin the process of importing my photos I get the following message: "an error occured when attempting to change modules". I then attempted to reinstall Lightroom from within CC but it won't let me reinstall indica