From: Richard Foltz (ccie2b@xxxxxxxxxx)
Date: Thu Oct 25 2001 - 12:35:51 GMT-3
i believe the nating device needs to support ipsec pass-through.
----- Original Message -----
From: "Brian Lodwick" <xpranax@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, October 25, 2001 10:22 AM
Subject: RE: IPSec/NAT
> I didn't think it worked to run an IPSec tunnel to a NATed address? I just
> tried a similar scenario in my lab and couldn't get it to work. I read up
> and concluded there was an issue with IPSec's Data Origin Authentication.
> The documentation I have says this service (Data Origin Authentication) is
> dependant upon the data integrity service you use, and allows the IPSec
> receiver to authenticate the source of the IPSec packets sent. Which to me
> sounds like an issue if you are NATing?
>
> I was using esp-des and ah-sha-hmac.
>
> Does anyone know if it is possible to run an IPSec tunnel to a NATed peer?
>
> >>>Brian
>
>
> >From: "Henry" <henryd31@home.com>
> >Reply-To: "Henry" <henryd31@home.com>
> >To: "'Henry'" <henryd31@home.com>, "'Macky Lee'"
> ><Macky.Lee@telecom.co.nz>, <ccielab@groupstudy.com>
> >Subject: RE: IPSec/NAT
> >Date: Thu, 25 Oct 2001 00:10:52 -0400
> >
> >Disregard...going a bit nuts...
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >Henry
> >Sent: Thursday, October 25, 2001 12:01 AM
> >To: 'Macky Lee'; ccielab@groupstudy.com
> >Subject: RE: IPSec/NAT
> >
> >How about:
> >
> >On R1
> >access-list 101 permit icmp 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
> >
> >On R2
> >access-list 101 permit icmp 200.200.200.0 0.0.0.255 200.100.100.0
> >0.0.0.255
> >
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >Macky Lee
> >Sent: Wednesday, October 24, 2001 11:24 PM
> >To: ccielab@groupstudy.com
> >Subject: IPSec/NAT
> >
> >Hi all,
> >
> >Could someone please tell me what have I don't wrong in the following
> >Lab setup?
> >
> >R1---R2---R3---R4
> >
> >R2 have NATapplied (100.1.1.1--->200.100.100.1)
> >R1 is trying to setup an IPSec tunnel with R4
> >
> >Ping was fine before the IPsec configure was put in.
> >
> >Here are the configuration.
> >
> >R1
> >crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > lifetime 10000
> >crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
> >!
> >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> >!
> >crypto map test 10 ipsec-isakmp
> > set peer 200.200.200.4 -----(R4 serial0)
> > set transform-set Ciscotran
> > match address 101
> >!
> >interface Serial0
> > ip address 100.1.1.1 255.255.255.0
> > encapsulation ppp
> > no fair-queue
> > clockrate 64000
> > crypto map test
> >
> >access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
> >
> >R4
> >crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > lifetime 10000
> >crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0 after
> >NAT)
> >!
> >!
> >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> >!
> >crypto map test 10 ipsec-isakmp
> > set peer 200.100.100.1----- (R1 serial0 after NAT)
> > set transform-set Ciscotran
> > match address 101
> >!
> >interface Serial0
> > ip address 200.200.200.4 255.255.255.0
> > encapsulation ppp
> > no fair-queue
> > crypto map test
> >!
> >access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0
> >0.0.0.255
> >
> >Regards,
> >
> >Macky
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:25 GMT-3