IPSec - NAT - Help

From: Kal Han (calikali2006@gmail.com)
Date: Wed Dec 13 2006 - 23:05:13 ART

• Next message: Haas, Brad: "RE: multicast to broadcast conversion"
• Previous message: anthony.sequeira@thomson.com: "RE: multicast to broadcast conversion"
• Next in thread: Kal Han: "Re: IPSec - NAT - Help"
• Maybe reply: Kal Han: "Re: IPSec - NAT - Help"
• Maybe reply: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Maybe reply: Ivan Ivanov: "Re: IPSec - NAT - Help"
• Maybe reply: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
Has any one got this type of scenario working, please let me know.

  1.1.1.1 1.1.1.2 3.3.3.2 3.3.3.3
[R1]-------------------------[R2]-------------------------[R3]
   | |
loop13 loop13
ip = 11.11.11.11 ip = 33.33.33.33

Tunnel between R1 and R3
Interesting traffic - between loopbacks.
Tunnel end points = 1.1.1.1 <-> 3.3.3.3

Nat Device = R2
*Nat converting 1.1.1.1 to 3.3.3.1*
( But R1 and R3 are unaware of this translation and
have the peers set to the real IPs in crypto config )

I am not able to get this working.

I see the debug messages ..below... from phase 2
( the IP addresses are not the same as above topology)

*But I dont see any udp 4500 exchanges between peers.*

*Config*
**
crypto map cm 10 ipsec-isakmp
 set peer *200.200.200.200 <<<<real IP -----> translated to 195.1.123.6 by
R2*
 set transform-set ts
 match address 179

*Phase 2 Messages*

*Mar 1 00:51:15.851: ISAKMP (0:1): atts are acceptable.
*Mar 1 00:51:15.851: IPSE
R1#C(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 11.11.11.11, remote= *195.1.123.6*,
*<<<<<<----
nat translated.not real
* local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 222.222.222.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:51:15.851: IPSEC(kei_proxy): head = cm, map->ivrf = , kei->ivrf =

*Mar 1 00:51:15.855: IPSEC(validate_transform_proposal): peer address
195.1.123.6 not found
*Mar 1 00:51:15.855: ISAKMP (0:1): *IPSec policy invalidated proposal*
*Mar 1 00:51:15.855: ISAKMP (0:1): phase 2 SA policy not acceptable! (local
11.11.11.11 remote *195.1.123.6*)
*Mar 1 00:51:15.855: ISAKMP: set new node -454548859 to QM_IDLE
*Mar 1 00:51:15.859: ISAKMP (0:1): sending packet to 195.1.123.6 my_port
500 peer_port 500 (R) QM_IDLE
*Mar 1 00:51:15.859: ISAKMP (0:1): purging node -454548859
*Mar 1 00:51:15.859: ISAKMP (0:1): Node 1553741346, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 00:51:15.859: ISAKMP (0:1): Old State = IKE_QM_READY New State =
IKE_QM_READY

Please let me know.

Thanks
Kal

• Next message: Haas, Brad: "RE: multicast to broadcast conversion"
• Previous message: anthony.sequeira@thomson.com: "RE: multicast to broadcast conversion"
• Next in thread: Kal Han: "Re: IPSec - NAT - Help"
• Maybe reply: Kal Han: "Re: IPSec - NAT - Help"
• Maybe reply: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Maybe reply: Ivan Ivanov: "Re: IPSec - NAT - Help"
• Maybe reply: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART