Re: IPSec/NAT

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Thu Oct 25 2001 - 14:56:39 GMT-3

• Next message: Thomas, Varghese: "Simple pinging problem"
• Previous message: fwells12: "Re: Multiple interafce NAT"
• Maybe in reply to: Macky Lee: "IPSec/NAT"
• Next in thread: michael robertson: "RE: IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
> no I was just trying to go from one router to another and in between them
> NAT was taking place.

Something like below?

10.0.0.0/24-(e1)R1(e0)--- R2 ---(e0) R3(e1)-192.168.100.0/24

Protect traffic from 10.0.0.0 to 192.168.0.0 but R2 dows NAT in between? You
will have to work on R2 to bypass NAT for traffic between R1 & R3's
interface ip address. When the encrypted packet reaches R2, it's source
address would be R1's E0 and destination R3's e0. So far no NAT is happening
for the traffic between these 2 addresses your VPN will work fine. Allow ESP
& UDP/500 between these 2 hosts too.

Sam

> >>>Brian
>
>
> >From: "Sam Munzani" <sam@munzani.com>
> >Reply-To: "Sam Munzani" <sam@munzani.com>
> >To: "Brian Lodwick" <xpranax@hotmail.com>
> >Subject: Re: IPSec/NAT
> >Date: Thu, 25 Oct 2001 11:01:53 -0500
> >
> >Are you trying to achieve IPSEC between 2 NATed ip addresses on 2
different
> >sites? I have done it with routers before without any problems. I haven't
> >tried PIX though.
> >
> >Thanks,
> >Sam
> >
> >
> >
> > > I didn't think it worked to run an IPSec tunnel to a NATed address? I
> >just
> > > tried a similar scenario in my lab and couldn't get it to work. I read
> >up
> > > and concluded there was an issue with IPSec's Data Origin
> >Authentication.
> > > The documentation I have says this service (Data Origin
Authentication)
> >is
> > > dependant upon the data integrity service you use, and allows the
IPSec
> > > receiver to authenticate the source of the IPSec packets sent. Which
to
> >me
> > > sounds like an issue if you are NATing?
> > >
> > > I was using esp-des and ah-sha-hmac.
> > >
> > > Does anyone know if it is possible to run an IPSec tunnel to a NATed
> >peer?
> > >
> > > >>>Brian
> > >
> > >
> > > >From: "Henry" <henryd31@home.com>
> > > >Reply-To: "Henry" <henryd31@home.com>
> > > >To: "'Henry'" <henryd31@home.com>, "'Macky Lee'"
> > > ><Macky.Lee@telecom.co.nz>, <ccielab@groupstudy.com>
> > > >Subject: RE: IPSec/NAT
> > > >Date: Thu, 25 Oct 2001 00:10:52 -0400
> > > >
> > > >Disregard...going a bit nuts...
> > > >
> > > >-----Original Message-----
> > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > >Henry
> > > >Sent: Thursday, October 25, 2001 12:01 AM
> > > >To: 'Macky Lee'; ccielab@groupstudy.com
> > > >Subject: RE: IPSec/NAT
> > > >
> > > >How about:
> > > >
> > > >On R1
> > > >access-list 101 permit icmp 100.1.1.0 0.0.0.255 200.200.200.0
0.0.0.255
> > > >
> > > >On R2
> > > >access-list 101 permit icmp 200.200.200.0 0.0.0.255 200.100.100.0
> > > >0.0.0.255
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > >Macky Lee
> > > >Sent: Wednesday, October 24, 2001 11:24 PM
> > > >To: ccielab@groupstudy.com
> > > >Subject: IPSec/NAT
> > > >
> > > >Hi all,
> > > >
> > > >Could someone please tell me what have I don't wrong in the following
> > > >Lab setup?
> > > >
> > > >R1---R2---R3---R4
> > > >
> > > >R2 have NATapplied (100.1.1.1--->200.100.100.1)
> > > >R1 is trying to setup an IPSec tunnel with R4
> > > >
> > > >Ping was fine before the IPsec configure was put in.
> > > >
> > > >Here are the configuration.
> > > >
> > > >R1
> > > >crypto isakmp policy 10
> > > > hash md5
> > > > authentication pre-share
> > > > lifetime 10000
> > > >crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
> > > >!
> > > >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> > > >!
> > > >crypto map test 10 ipsec-isakmp
> > > > set peer 200.200.200.4 -----(R4 serial0)
> > > > set transform-set Ciscotran
> > > > match address 101
> > > >!
> > > >interface Serial0
> > > > ip address 100.1.1.1 255.255.255.0
> > > > encapsulation ppp
> > > > no fair-queue
> > > > clockrate 64000
> > > > crypto map test
> > > >
> > > >access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255
> > > >
> > > >R4
> > > >crypto isakmp policy 10
> > > > hash md5
> > > > authentication pre-share
> > > > lifetime 10000
> > > >crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0
> >after
> > > >NAT)
> > > >!
> > > >!
> > > >crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
> > > >!
> > > >crypto map test 10 ipsec-isakmp
> > > > set peer 200.100.100.1----- (R1 serial0 after NAT)
> > > > set transform-set Ciscotran
> > > > match address 101
> > > >!
> > > >interface Serial0
> > > > ip address 200.200.200.4 255.255.255.0
> > > > encapsulation ppp
> > > > no fair-queue
> > > > crypto map test
> > > >!
> > > >access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0
> > > >0.0.0.255
> > > >
> > > >Regards,
> > > >
> > > >Macky

• Next message: Thomas, Varghese: "Simple pinging problem"
• Previous message: fwells12: "Re: Multiple interafce NAT"
• Maybe in reply to: Macky Lee: "IPSec/NAT"
• Next in thread: michael robertson: "RE: IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:25 GMT-3