From: yuen me (yuen_me@xxxxxxxxxxx)
Date: Sun Feb 17 2002 - 18:28:10 GMT-3
It is an experimentation on making NAT happen and at the same time passing
this altered packets into IPSec tunnel. It is different from the approach in
TAC:
http://www.cisco.com/warp/public/707/overload_private.shtml
It is successful, but not a graceful solution. I will still prefer the TAC
approach to avoid NAT for inter private LAN traffic. Afterall, why do you
need NATed traffic in IPSec tunnel! However through this experiment, I get
deeper understanding of IPSec and guess you may be interested. The setting
is as follows.
R2-----R1-----R3
Ipsec Ipsec
NAT NAT
R2 L11 172.16.2.5 / 30 (ip nat inside)
R2 S1.201 172.16.1.22 / 29 (ip nat outside)
R3 L11 172.16.144.3 / 24 (ip nat inside)
R3 S1 172.16.1.43 / 29 (ip nat outside)
Inside local Inside global
R2 172.16.2.5 172.16.1.17
R3 172.16.144.3 172.16.1.45
Test: extended ping from R3 (172.16.144.3) to R2 (172.16.2.5)
The entire config is at the bottom of this mail. The key to success is to
have a 3 lines extended access-list, instead of 1:
R3
access-list 130 permit ip host 172.16.1.45 host 172.16.2.5 log
access-list 130 permit ip host 172.16.144.3 host 172.16.1.20 log
access-list 130 permit ip host 172.16.1.45 host 172.16.1.20 log
R2
access-list 150 permit ip host 172.16.1.20 host 172.16.144.3 log
access-list 150 permit ip host 172.16.2.5 host 172.16.1.45 log
access-list 150 permit ip host 172.16.1.20 host 172.16.1.45 log
for ping from r3 to R2 to work, I need r3 1st line, r2 2nd line and 3rd
line. for ping from r2 to r2 to work, I need r2 1st line, r3 2nd line and
3rd line.
Lets examine the ping from R3 to R2:
R3 1st line is to classify the "natted" outgoing ping as IPSec qualified.
You see that the source address is the inside global, not local.
R2 2ns line is needed when R2 receives this ping in IPsec tunnel and tries
to qualify it as a valid source. Without this, you will see at R2:
03:01:24: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.16.1.22, src= 172.16.1.43,
dest_proxy= 172.16.2.5/255.255.255.255/0/0 (type=1),
src_proxy= 172.16.1.45/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
03:01:24: IPSEC(validate_transform_proposal): proxy identities not supported
R2 3rd line is for the returned ping. Pls notice both source and destination
are global. Without this, you will see on R1
6:16:42: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 172.16.144.3, src_addr= 172.16.1.20, prot= 1.....
It is clumsy. But the exchange provides a clear picture of what IPSec
requires. Hope this helps:
hostname r3
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key r2r3 address 172.16.1.22
!
!
crypto ipsec transform-set 1st_choice esp-des esp-md5-hmac
!
!
crypto map r2r3_ipsec_tunnel 10 ipsec-isakmp
set peer 172.16.1.22
set transform-set 1st_choice
set pfs group1
match address 130
!
interface Loopback11
ip address 172.16.144.3 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial1
bandwidth 64
ip address 172.16.1.43 255.255.255.248
no ip directed-broadcast
ip nat outside
ip pim nbma-mode
ip pim sparse-dense-mode
encapsulation frame-relay
ip ospf network point-to-point
ip ospf priority 0
logging event subif-link-status
logging event dlci-status-change
cdp enable
crypto map r2r3_ipsec_tunnel
!
ip nat pool r3wan 172.16.1.45 172.16.1.45 prefix-length 30
ip nat inside source list 10 pool r3wan
!
access-list 10 permit 172.16.144.3
access-list 10 permit 239.10.0.0 0.0.255.255
access-list 130 permit ip host 172.16.1.45 host 172.16.2.5 log
access-list 130 permit ip host 172.16.144.3 host 172.16.1.20 log
access-list 130 permit ip host 172.16.1.45 host 172.16.1.20 log!
hostname r2
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key r2r3 address 172.16.1.43
crypto isakmp key r5r6 address 172.16.1.10
!
crypto ipsec transform-set 2nd_priority ah-md5-hmac
crypto ipsec transform-set 1st_choice esp-des esp-md5-hmac
!
crypto map ipsec_bvi 10 ipsec-isakmp
set peer 172.16.1.10
set transform-set 2nd_priority
set pfs group1
match address 120
!
crypto map r2r3_ipsec_tunnel 10 ipsec-isakmp
set peer 172.16.1.43
set transform-set 1st_choice
set pfs group1
match address 150
!
interface Loopback11
ip address 172.16.2.5 255.255.255.252
ip nat inside
!
interface Serial1.201 point-to-point
ip address 172.16.1.22 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 201
crypto map r2r3_ipsec_tunnel
!
ip nat pool r2wan 172.16.1.17 172.16.1.19 prefix-length 30
ip nat inside source list 20 pool r2wan
!
access-list 20 permit 172.16.2.5
access-list 150 permit ip host 172.16.1.20 host 172.16.144.3 log
access-list 150 permit ip host 172.16.2.5 host 172.16.1.45 log
access-list 150 permit ip host 172.16.1.20 host 172.16.1.45 log
Successful
r3#ping
Protocol [ip]:
Target IP address: 172.16.2.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.144.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.5, timeout is 2 seconds:
.
06:25:39: ISAKMP (67): received packet from 172.16.1.22 (I) QM_IDLE
06:25:39: ISAKMP (67): processing SA payload. message ID = 1153090510
06:25:39: ISAKMP (67): Checking IPSec proposal 1
06:25:39: ISAKMP: transform 1, ESP_DES
06:25:39: ISAKMP: attributes in transform:
06:25:39: ISAKMP: encaps is 1
06:25:39: ISAKMP: SA life type in seconds
06:25:39: ISAKMP: SA life duration (basic) of 3600
06:25:39: ISAKMP: SA life type in kilobytes
06:25:39: ISAKMP: SA life durat.ion (VPI) of 0x0 0x46 0x50 0x0
06:25:39: ISAKMP: authenticator is HMAC-MD5
06:25:39: ISAKMP: group is 1
06:25:39: ISAKMP (67): atts are acceptable.
06:25:39: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.16.1.22, src= 172.16.1.43,
dest_proxy= 172.16.1.45/255.255.255.255/0/0 (type=1),
src_proxy= 172.16.1.20/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14
06:25:40: ISAKMP (67): processing NONCE payload. message ID = 1153090510
06:25:40: ISAKMP (67): processing KE payload. message ID = 1153.090510
06:25:42: ISAKMP (67): processing ID payload. message ID = 1153090510
06:25:42: ISAKMP (67): ID_IPV4_ADDR src 172.16.1.20 prot 0 port 0
06:25:42: ISAKMP (67): processing ID payload. message ID = 1153090510
06:25:42: ISAKMP (67): ID_IPV4_ADDR dst 172.16.1.45 prot 0 port 0
06:25:43: IPSEC(key_engine): got a queue event...
06:25:43: IPSEC(spi_response): getting spi 248912694 for SA
from 172.16.1.22 to 172.16.1.43 for prot 3
06:25:43: ISAKMP (67): sending packet to 172.16.1.22 (I) QM_IDLE .
06:25:45: ISAKMP (67): received packet from 172.16.1.22 (I) QM_IDLE
06:25:45: ISAKMP (67): Creating IPSec SAs
06:25:45: inbound SA from 172.16.1.22 to 172.16.1.43 (proxy
172.
16.1.20 to 172.16.1.45 )
06:25:45: has spi 248912694 and conn_id 72 and flags 15
06:25:45: lifetime of 3600 seconds
06:25:45: lifetime of 4608000 kilobytes
06:25:45: outbound SA from 172.16.1.43 to 172.16.1.22 (proxy
172
.16.1.45 to 172.16.1.20 )
06:25:45.
Success rate is 0 percent (0/5)
r3#: has spi 201132544 and conn_id 73 and flags 15
06:25:45: lifetime of 3600 seconds
06:25:45: lifetime of 4608000 kilobytes
06:25:45: IPSEC(key_engine): got a queue event...
06:25:45: IPSEC(initialize_sas): ,
(key eng. msg.) dest= 172.16.1.43, src= 172.16.1.22,
dest_proxy= 172.16.1.45/0.0.0.0/0/0 (type=1),
src_proxy= 172.16.1.20/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xED61B36(248912694), conn_id= 72, keysize= 0, flags= 0x15
06:25:45: IPSEC(initialize_sas): ,
(key eng. msg.) src= 172.16.1.43, dest= 172.16.1.22,
src_proxy= 172.16.1.45/0.0.0.0/0/0 (type=1),
dest_proxy= 172.16.1.20/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xBFD0A00(201132544), conn_id= 73, keysize= 0, flags= 0x15
06:25:45: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.1.43, sa_prot= 50,
sa_spi= 0xED61B36(248912694),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 72
06:25:45: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.1.22, sa_prot= 50,
sa_spi= 0xBFD0A00(201132544),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 73
06:25:58: %SEC-6-IPACCESSLOGDP: list 130 permitted icmp 172.16.1.45 ->
172.16.2.
5 (8/0), 10 packets
r3#
06:26:04: ISADB: reaper checking SA, conn_id = 67
r3#sh cry ipsec sa
interface: Serial1
Crypto map tag: r2r3_ipsec_tunnel, local addr. 172.16.1.43
local ident (addr/mask/prot/port): (172.16.144.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.20/255.255.255.255/0/0)
current_peer: 172.16.1.22
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.43, remote crypto endpt.: 172.16.1.22
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
outbound esp sas:
outbound ah sas:
local ident (addr/mask/prot/port): (172.16.1.45/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.2.5/255.255.255.255/0/0)
current_peer: 172.16.1.22
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 5, #recv errors 0
local crypto endpt.: 172.16.1.43, remote crypto endpt.: 172.16.1.22
path mtu 1500, media mtu 1500
current outbound spi: 9F4263E
inbound esp sas:
spi: 0x1AC10804(448858116)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 69, crypto map: r2r3_ipsec_tunnel
sa timing: remaining key lifetime (k/sec): (4608000/3431)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x9F4263E(166995518)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 70, crypto map: r2r3_ipsec_tunnel
sa timing: remaining key lifetime (k/sec): (4607999/3431)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
local ident (addr/mask/prot/port): (172.16.1.45/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.20/255.255.255.255/0/0)
current_peer: 172.16.1.22
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.43, remote crypto endpt.: 172.16.1.22
path mtu 1500, media mtu 1500
current outbound spi: BFD0A00
inbound esp sas:
spi: 0xED61B36(248912694)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 72, crypto map: r2r3_ipsec_tunnel
sa timing: remaining key lifetime (k/sec): (4608000/3408)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0xBFD0A00(201132544)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 73, crypto map: r2r3_ipsec_tunnel
sa timing: remaining key lifetime (k/sec): (4608000/3408)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
r3#ping
Protocol [ip]:
Target IP address: 172.16.2.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.144.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/112/128 ms
r3#
06:26:58: %SEC-6-IPACCESSLOGDP: list 130 permitted icmp 172.16.1.45 ->
172.16.1.
20 (0/0), 5 packets
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:25 GMT-3