From: Stefano Lassi (stefano.lassi@sysma.it)
Date: Mon Aug 09 2004 - 07:55:28 GMT-3
Hi to everybody
my original target is to permit IPSEC VPN beetween a router, or better
multiple coexistent routers, behind Vodafone Italy GPRS standard APN
access (IP assigned in
private class -> NAT trough outside world) and a hub router with a
registred public access
I made following kind of tests:
1) Actually on real enviroment, one spoke router
2) Laboratory enviroment (PAT behind ADSL), one spoke router
3) Laboratory enviroment (PAT behind ADSL), two spoke routers behind
same PAT domain
1) ISAKMP seems unable to start SA; but NAT_DETECTION seems working
Note:
ISAKMP spoke port will be changed by Vodafone NAT from udp/500 TO
UDP/XXXXX = probably port udp/500 is dropped by Vodafone, or it was
already in use by some other
Vodafone customer ...
2) OK!!
3) I got both configuration problem and same port NAT problem like 1)
Note 3a:
I had to use keyrings, isakmp profiles and dynamic crypto maps (instead
classical isakmp syntax), but I got configuration problem implementing
dual keyring
selection:
crypto keyring <KEYRING1>
pre-shared-key address 0.0.0.0 0.0.0.0 key <key1>
crypto keyring <KEYRING2>
pre-shared-key address 0.0.0.0 0.0.0.0 key <key2>
will create confusion in ISAKMP key and profile pick up => both
destination will not start. With only one keyring, like in case 2), all
is OK.
Note 3b:
Also bypassing with a trick problem 3a: manually changing keyring
definition of second tunnel after first tunnel have been established,
second VPN will not start.
On NAT device I found PAT for udp/500 (ISAKMP) and udp/4500 (NAT-T)
ports:
sh ip nat trans * ->
udp 106.138.23.14:2 10.0.0.19:500 123.6.61.15:500
123.6.61.15:500
udp 106.138.23.14:4500 10.0.0.18:4500 123.6.61.15:4500
123.6.61.15:4500
udp 106.138.23.14:500 10.0.0.18:500 123.6.61.15:500
123.6.61.15:500
udp 106.138.23.14:1024 10.0.0.19:4500 123.6.61.15:4500
123.6.61.15:4500
Now my questions are:
1) Is anyway possible have two IPSec NAT-T Spokes behind same PAT
device?
2) Is it possible via IOS syntax change default udp/500 (ISAKMP) and
udp/4500 (NAT-T) ports?
3) There is a better syntax than keyrings, isakmp profiles and dynamic
crypto maps?
4) There are any other ways to implement what I'm looking for (instead
of NAT-T)?
I can't use GRE because on hub router I can't specify tunnel destination
(I already used GRE with 1-1 NAT, but how can it be used with PAT or n-m
NAT?).
All examples I found about DMVPN are without NAT (anyway I think DMVPN
is actually based on GRE + IPSec)
IP Mobile seems to me only a easier framework, but based to GRE, IPSec
NAT-T too ...
I know is possible implement LAN-to-LAN VPN using SSH, with
Linux/FreeBSD; but how use that idea on Cisco routers?
One solution I was thinking, and I'm going to test is EASY VPN:
- Point 1) will works with Cisco VPN Client and VPN 3000: I'm going to
solve problems using EASY VPN SERVER on hub and EASY VPN CLIENT WITH
NETWORK EXTENSION on
spokes?
All test have been made with Cisco 261x with same IOS (tm) C2600
Software (C2600-IK9O3S3-M), Version 12.3(6a).
Thank you very much to whoever will have any god idea!!!
Stefano
CCNP/CCDP
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:35 GMT-3