From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Sat Dec 16 2006 - 10:43:16 ART
I see your point; Basically, NAT-T is designed to cover remote-access
scenarios mostly, where remote node connects through NAT to a well-known
IP address of a server. NAT-T permits IKE/ESP to be carried and
"multiplexed"
safely over NAT/PAT configurations.
When you configure L2L tunnel through NAT, you should use Post-NAT IP
addresses as "static" endpoints. Bi-Direction tunnel establishment is
possible
only if you use static NAT translations. Anyway, it is not possible to
discover
Post-NAT IPs, using Pre-NAT addresses for peerig; This simply won't work,
for obvious reasons...
One way to discover tunnel endpoints is TED, but it does not work with NAT.
2006/12/14, Kal Han <calikali2006@gmail.com>:
>
> Hi
> The only way its working is when I peer R3
> with the *nated ip* ... I mean... then its going to
> udp 4500. Other way is failing because of
> ipsec is seing a different ip address than the
> pre-defined peer.
>
> how can I solve the original issue ?
>
> I might be expecting something wrong here...
> But in cases where an intermediate device is doing nat and
> the end devices are *completely unaware* of it,
> NAT-T can solve this issue ... is that not correct ?
>
> Thanks
> Kal
>
>
> On 12/13/06, Kal Han <calikali2006@gmail.com> wrote:
> >
> > Hi
> > Has any one got this type of scenario working, please let me know.
> >
> > 1.1.1.1 1.1.1.2 3.3.3.2 3.3.3.3
> > [R1]-------------------------[R2]-------------------------[R3]
> > | |
> > loop13 loop13
> > ip = 11.11.11.11 ip = 33.33.33.33
> >
> > Tunnel between R1 and R3
> > Interesting traffic - between loopbacks.
> > Tunnel end points = 1.1.1.1 <-> 3.3.3.3
> >
> > Nat Device = R2
> > *Nat converting 1.1.1.1 to 3.3.3.1*
> > ( But R1 and R3 are unaware of this translation and
> > have the peers set to the real IPs in crypto config )
> >
> > I am not able to get this working.
> >
> > I see the debug messages ..below... from phase 2
> > ( the IP addresses are not the same as above topology)
> >
> > *But I dont see any udp 4500 exchanges between peers.*
> >
> >
> > *Config*
> > **
> > crypto map cm 10 ipsec-isakmp
> > set peer *200.200.200.200 <<<<real IP -----> translated to 195.1.123.6by
> > R2 *
> > set transform-set ts
> > match address 179
> >
> > *Phase 2 Messages*
> >
> > *Mar 1 00:51:15.851: ISAKMP (0:1): atts are acceptable.
> > *Mar 1 00:51:15.851: IPSE
> > R1#C(validate_proposal_request): proposal part #1,
> > (key eng. msg.) INBOUND local= 11.11.11.11 , remote= *195.1.123.6*,
> *<<<<<<----
> > nat translated.not real
> > * local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 222.222.222.0/255.255.255.0/0/0 (type=4),
> > protocol= ESP, transform= esp-des esp-sha-hmac ,
> > lifedur= 0s and 0kb,
> > spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
> > *Mar 1 00:51:15.851: IPSEC(kei_proxy): head = cm, map->ivrf = ,
> kei->ivrf
> > =
> > *Mar 1 00:51:15.855: IPSEC(validate_transform_proposal): peer address
> > 195.1.123.6 not found
> > *Mar 1 00:51:15.855: ISAKMP (0:1): *IPSec policy invalidated proposal*
> > *Mar 1 00:51:15.855: ISAKMP (0:1): phase 2 SA policy not acceptable!
> > (local 11.11.11.11 remote *195.1.123.6*)
> > *Mar 1 00:51:15.855: ISAKMP: set new node -454548859 to QM_IDLE
> > *Mar 1 00:51:15.859: ISAKMP (0:1): sending packet to 195.1.123.6my_port
> > 500 peer_port 500 (R) QM_IDLE
> > *Mar 1 00:51:15.859: ISAKMP (0:1): purging node -454548859
> > *Mar 1 00:51:15.859: ISAKMP (0:1): Node 1553741346, Input =
> > IKE_MESG_FROM_PEER, IKE_QM_EXCH
> > *Mar 1 00:51:15.859: ISAKMP (0:1): Old State = IKE_QM_READY New State
> =
> > IKE_QM_READY
> >
> > Please let me know.
> >
> > Thanks
> > Kal
>
>
-- Petr Lapukhov, CCIE #16379 (R&S/Security) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART