Re: IPSec - NAT - Help

From: Kal Han (calikali2006@gmail.com)
Date: Thu Dec 14 2006 - 00:25:47 ART

• Next message: Mohammad Saeed: "Cisco VPN3000 DNS Problem"
• Previous message: Brian Dennis: "RE: multicast to broadcast conversion"
• Maybe in reply to: Kal Han: "IPSec - NAT - Help"
• Next in thread: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
The only way its working is when I peer R3
with the *nated ip* ... I mean... then its going to
udp 4500. Other way is failing because of
ipsec is seing a different ip address than the
pre-defined peer.

how can I solve the original issue ?

I might be expecting something wrong here...
But in cases where an intermediate device is doing nat and
the end devices are *completely unaware* of it,
NAT-T can solve this issue ... is that not correct ?

Thanks
Kal

On 12/13/06, Kal Han <calikali2006@gmail.com> wrote:
>
> Hi
> Has any one got this type of scenario working, please let me know.
>
> 1.1.1.1 1.1.1.2 3.3.3.2 3.3.3.3
> [R1]-------------------------[R2]-------------------------[R3]
> | |
> loop13 loop13
> ip = 11.11.11.11 ip = 33.33.33.33
>
> Tunnel between R1 and R3
> Interesting traffic - between loopbacks.
> Tunnel end points = 1.1.1.1 <-> 3.3.3.3
>
> Nat Device = R2
> *Nat converting 1.1.1.1 to 3.3.3.1*
> ( But R1 and R3 are unaware of this translation and
> have the peers set to the real IPs in crypto config )
>
> I am not able to get this working.
>
> I see the debug messages ..below... from phase 2
> ( the IP addresses are not the same as above topology)
>
> *But I dont see any udp 4500 exchanges between peers.*
>
>
> *Config*
> **
> crypto map cm 10 ipsec-isakmp
> set peer *200.200.200.200 <<<<real IP -----> translated to 195.1.123.6 by
> R2 *
> set transform-set ts
> match address 179
>
> *Phase 2 Messages*
>
> *Mar 1 00:51:15.851: ISAKMP (0:1): atts are acceptable.
> *Mar 1 00:51:15.851: IPSE
> R1#C(validate_proposal_request): proposal part #1,
> (key eng. msg.) INBOUND local= 11.11.11.11 , remote= *195.1.123.6*, *<<<<<<----
> nat translated.not real
> * local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 222.222.222.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-des esp-sha-hmac ,
> lifedur= 0s and 0kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
> *Mar 1 00:51:15.851: IPSEC(kei_proxy): head = cm, map->ivrf = , kei->ivrf
> =
> *Mar 1 00:51:15.855: IPSEC(validate_transform_proposal): peer address
> 195.1.123.6 not found
> *Mar 1 00:51:15.855: ISAKMP (0:1): *IPSec policy invalidated proposal*
> *Mar 1 00:51:15.855: ISAKMP (0:1): phase 2 SA policy not acceptable!
> (local 11.11.11.11 remote *195.1.123.6*)
> *Mar 1 00:51:15.855: ISAKMP: set new node -454548859 to QM_IDLE
> *Mar 1 00:51:15.859: ISAKMP (0:1): sending packet to 195.1.123.6 my_port
> 500 peer_port 500 (R) QM_IDLE
> *Mar 1 00:51:15.859: ISAKMP (0:1): purging node -454548859
> *Mar 1 00:51:15.859: ISAKMP (0:1): Node 1553741346, Input =
> IKE_MESG_FROM_PEER, IKE_QM_EXCH
> *Mar 1 00:51:15.859: ISAKMP (0:1): Old State = IKE_QM_READY New State =
> IKE_QM_READY
>
> Please let me know.
>
> Thanks
> Kal

• Next message: Mohammad Saeed: "Cisco VPN3000 DNS Problem"
• Previous message: Brian Dennis: "RE: multicast to broadcast conversion"
• Maybe in reply to: Kal Han: "IPSec - NAT - Help"
• Next in thread: Petr Lapukhov: "Re: IPSec - NAT - Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART