Re: OT: IPsec Site to Site Tunnel behind NAT from Tony Singh on 2014-06-07 (Ccielab archives 06/2014)

From: Tony Singh <mothafungla_at_gmail.com>
Date: Sat, 7 Jun 2014 15:49:46 +0100

Enable your Cyberoam for NAT-T and remove the NAT exclusion rule on the Router

Your debugs suggest the Sonicwall has discovered a NAT device (I.e your Routers outside interface) and changed to main mode using UDP 4500

--
BR
Tony
> On 7 Jun 2014, at 15:33, segs <michaelolusegunrufai_at_gmail.com> wrote:
> 
> Hello All,
> Sorry for the OT, but been having issues setting up IPsec Site to Site
> VPN behind a router configured for NAT. Below is the setup;
> 
> LAN---->Cyberoam---->Router>>>internet>>>>SonicWall
> 
> IPsec is terminated on the Cyberoam UTM as well as the SonicWall but
> the VPN fails to connect and i get the following error below on the
> Cyberoam UTM;
> 
> Jun 05 19:07:57 packet from 31.221.21.170:500: ignoring unknown Vendor
> ID payload [5b362bc820f60007]
>    Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
> payload [RFC 3947] method set to=110
>    Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
> method 110
>    Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
> method 110
>    Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-00]
>    Jun 05 19:07:57 "Septa_VPN_London-7" #346: responding to Main Mode
>    Jun 05 19:07:57 "Septa_VPN_London-7" #346: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
>    Jun 05 19:07:57 "Septa_VPN_London-7" #346: STATE_MAIN_R1: sent
> MR1, expecting MI2
> 
> and on checking on the internet seems to be an issue with NAT behind a
> device terminating the IPsec VPN, and of which i have excluded the
> IPsec VPN traffic from been NATed on the router on UDP port 500 and
> port 4500 but yet still getting thesame error.
> Router Config:-
> int g0/1
> ip add 192.168.1.1 255.255.255.0
> ip add 197.x.x.x 255.255.255.248 sec
> ip nat inside
> 
> 
> CR:-
> Port  C
> ip add 197.x.x.y 255.255.255.248
> 
> Any pointers to what could be the issue will very much appreciated.
> 
> Thanks in advance.
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Sat Jun 07 2014 - 15:49:46 ART

This archive was generated by hypermail 2.2.0 : Tue Jul 01 2014 - 06:32:35 ART