From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Thu Oct 25 2001 - 13:06:05 GMT-3
no I was just trying to go from one router to another and in between them
NAT was taking place.
>>>Brian
>From: "Sam Munzani" <sam@munzani.com>
>Reply-To: "Sam Munzani" <sam@munzani.com>
>To: "Brian Lodwick" <xpranax@hotmail.com>
>Subject: Re: IPSec/NAT
>Date: Thu, 25 Oct 2001 11:01:53 -0500
>
>Are you trying to achieve IPSEC between 2 NATed ip addresses on 2 different
>sites? I have done it with routers before without any problems. I haven't
>tried PIX though.
>
>Thanks,
>Sam
>
>
>
> > I didn't think it worked to run an IPSec tunnel to a NATed address? I
>just
> > tried a similar scenario in my lab and couldn't get it to work. I read
>up
> > and concluded there was an issue with IPSec's Data Origin
>Authentication.
> > The documentation I have says this service (Data Origin Authentication)
>is
> > dependant upon the data integrity service you use, and allows the IPSec
> > receiver to authenticate the source of the IPSec packets sent. Which to
>me
> > sounds like an issue if you are NATing?
> >
> > I was using esp-des and ah-sha-hmac.
> >
> > Does anyone know if it is possible to run an IPSec tunnel to a NATed
>peer?
> >
> > >>>Brian
> >
> >
> > >From: "Henry" <henryd31@home.com>
> > >Reply-To: "Henry" <henryd31@home.com>
> > >To: "'Henry'" <henryd31@home.com>, "'Macky Lee'"
> > ><Macky.Lee@telecom.co.nz>, <ccielab@groupstudy.com>
> > >Subject: RE: IPSec/NAT
> > >Date: Thu, 25 Oct 2001 00:10:52 -0400
> > >
> > >Disregard...going a bit nuts...
> > >
> > >-----Original Message-----
> > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > >Henry
> > >Sent: Thursday, October 25, 2001 12:01 AM
> > >To: 'Macky Lee'; ccielab@groupstudy.com
> > >Subject: RE: IPSec/NAT
> > >
> > >How about:
> > >
> > >On R1
> > >access-list 101 permit icmp 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
> > >
> > >On R2
> > >access-list 101 permit icmp 200.200.200.0 0.0.0.255 200.100.100.0
> > >0.0.0.255
> > >
> > >
> > >-----Original Message-----
> > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > >Macky Lee
> > >Sent: Wednesday, October 24, 2001 11:24 PM
> > >To: ccielab@groupstudy.com
> > >Subject: IPSec/NAT
> > >
> > >Hi all,
> > >
> > >Could someone please tell me what have I don't wrong in the following
> > >Lab setup?
> > >
> > >R1---R2---R3---R4
> > >
> > >R2 have NATapplied (100.1.1.1--->200.100.100.1)
> > >R1 is trying to setup an IPSec tunnel with R4
> > >
> > >Ping was fine before the IPsec configure was put in.
> > >
> > >Here are the configuration.
> > >
> > >R1
> > >crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > lifetime 10000
> > >crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
> > >!
> > >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> > >!
> > >crypto map test 10 ipsec-isakmp
> > > set peer 200.200.200.4 -----(R4 serial0)
> > > set transform-set Ciscotran
> > > match address 101
> > >!
> > >interface Serial0
> > > ip address 100.1.1.1 255.255.255.0
> > > encapsulation ppp
> > > no fair-queue
> > > clockrate 64000
> > > crypto map test
> > >
> > >access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
> > >
> > >R4
> > >crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > lifetime 10000
> > >crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0
>after
> > >NAT)
> > >!
> > >!
> > >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> > >!
> > >crypto map test 10 ipsec-isakmp
> > > set peer 200.100.100.1----- (R1 serial0 after NAT)
> > > set transform-set Ciscotran
> > > match address 101
> > >!
> > >interface Serial0
> > > ip address 200.200.200.4 255.255.255.0
> > > encapsulation ppp
> > > no fair-queue
> > > crypto map test
> > >!
> > >access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0
> > >0.0.0.255
> > >
> > >Regards,
> > >
> > >Macky
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:25 GMT-3