From: John Kim (albugkim@xxxxxxxxxxx)
Date: Thu Oct 25 2001 - 14:12:07 GMT-3
If a transform mode is not defined on the transform statement, tunnel mode
will be used by default. Try with transport mode on the transform statement.
Thanks,
John Kim
>From: "Brian Lodwick" <xpranax@hotmail.com>
>Reply-To: "Brian Lodwick" <xpranax@hotmail.com>
>To: ccielab@groupstudy.com
>Subject: RE: IPSec/NAT
>Date: Thu, 25 Oct 2001 15:22:13 +0000
>
>I didn't think it worked to run an IPSec tunnel to a NATed address? I just
>tried a similar scenario in my lab and couldn't get it to work. I read up
>and concluded there was an issue with IPSec's Data Origin Authentication.
>The documentation I have says this service (Data Origin Authentication) is
>dependant upon the data integrity service you use, and allows the IPSec
>receiver to authenticate the source of the IPSec packets sent. Which to me
>sounds like an issue if you are NATing?
>
>I was using esp-des and ah-sha-hmac.
>
>Does anyone know if it is possible to run an IPSec tunnel to a NATed peer?
>
>>>>Brian
>
>
>>From: "Henry" <henryd31@home.com>
>>Reply-To: "Henry" <henryd31@home.com>
>>To: "'Henry'" <henryd31@home.com>, "'Macky Lee'"
>><Macky.Lee@telecom.co.nz>, <ccielab@groupstudy.com>
>>Subject: RE: IPSec/NAT
>>Date: Thu, 25 Oct 2001 00:10:52 -0400
>>
>>Disregard...going a bit nuts...
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>Henry
>>Sent: Thursday, October 25, 2001 12:01 AM
>>To: 'Macky Lee'; ccielab@groupstudy.com
>>Subject: RE: IPSec/NAT
>>
>>How about:
>>
>>On R1
>>access-list 101 permit icmp 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
>>
>>On R2
>>access-list 101 permit icmp 200.200.200.0 0.0.0.255 200.100.100.0
>>0.0.0.255
>>
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>Macky Lee
>>Sent: Wednesday, October 24, 2001 11:24 PM
>>To: ccielab@groupstudy.com
>>Subject: IPSec/NAT
>>
>>Hi all,
>>
>>Could someone please tell me what have I don't wrong in the following
>>Lab setup?
>>
>>R1---R2---R3---R4
>>
>>R2 have NATapplied (100.1.1.1--->200.100.100.1)
>>R1 is trying to setup an IPSec tunnel with R4
>>
>>Ping was fine before the IPsec configure was put in.
>>
>>Here are the configuration.
>>
>>R1
>>crypto isakmp policy 10
>> hash md5
>> authentication pre-share
>> lifetime 10000
>>crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
>>!
>>crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
>>!
>>crypto map test 10 ipsec-isakmp
>> set peer 200.200.200.4 -----(R4 serial0)
>> set transform-set Ciscotran
>> match address 101
>>!
>>interface Serial0
>> ip address 100.1.1.1 255.255.255.0
>> encapsulation ppp
>> no fair-queue
>> clockrate 64000
>> crypto map test
>>
>>access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
>>
>>R4
>>crypto isakmp policy 10
>> hash md5
>> authentication pre-share
>> lifetime 10000
>>crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0 after
>>NAT)
>>!
>>!
>>crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
>>!
>>crypto map test 10 ipsec-isakmp
>> set peer 200.100.100.1----- (R1 serial0 after NAT)
>> set transform-set Ciscotran
>> match address 101
>>!
>>interface Serial0
>> ip address 200.200.200.4 255.255.255.0
>> encapsulation ppp
>> no fair-queue
>> crypto map test
>>!
>>access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0
>>0.0.0.255
>>
>>Regards,
>>
>>Macky
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:25 GMT-3