Re: OT: IPsec Site to Site Tunnel behind NAT

Buy a Cisco ASA or recommend one :)

NAT-T is auto detected on IOS not sure on the UTM but according to RFC 3947 it should auto detect this feature during IKE phase I, so no configuration should be required

Try removing your exclude NAT statement then debug on the router to see what the packets are doing....

--
BR
Tony
> On 7 Jun 2014, at 16:32, segs <michaelolusegunrufai_at_gmail.com> wrote:
> 
> Thanks Tony for your response, but for some reasons i seem not to be
> able to enable NAT-T on Cyberoam, the feature only works with remote
> access from Cyberoam's documentation but would adding a remote-id and
> local-id to both ends of the device terminating the tunnel be a valid
> solution?
> 
>> On 6/7/14, Tony Singh <mothafungla_at_gmail.com> wrote:
>> Enable your Cyberoam for NAT-T and remove the NAT exclusion rule on the
>> Router
>> 
>> Your debugs suggest the Sonicwall has discovered a NAT device (I.e your
>> Routers outside interface) and changed to main mode using UDP 4500
>> 
>> --
>> BR
>> 
>> Tony
>> 
>>> On 7 Jun 2014, at 15:33, segs <michaelolusegunrufai_at_gmail.com> wrote:
>>> 
>>> Hello All,
>>> Sorry for the OT, but been having issues setting up IPsec Site to Site
>>> VPN behind a router configured for NAT. Below is the setup;
>>> 
>>> LAN---->Cyberoam---->Router>>>internet>>>>SonicWall
>>> 
>>> IPsec is terminated on the Cyberoam UTM as well as the SonicWall but
>>> the VPN fails to connect and i get the following error below on the
>>> Cyberoam UTM;
>>> 
>>> Jun 05 19:07:57 packet from 31.221.21.170:500: ignoring unknown Vendor
>>> ID payload [5b362bc820f60007]
>>>   Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>> payload [RFC 3947] method set to=110
>>>   Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
>>> method 110
>>>   Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
>>> method 110
>>>   Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>> payload [draft-ietf-ipsec-nat-t-ike-00]
>>>   Jun 05 19:07:57 "Septa_VPN_London-7" #346: responding to Main Mode
>>>   Jun 05 19:07:57 "Septa_VPN_London-7" #346: transition from state
>>> STATE_MAIN_R0 to state STATE_MAIN_R1
>>>   Jun 05 19:07:57 "Septa_VPN_London-7" #346: STATE_MAIN_R1: sent
>>> MR1, expecting MI2
>>> 
>>> and on checking on the internet seems to be an issue with NAT behind a
>>> device terminating the IPsec VPN, and of which i have excluded the
>>> IPsec VPN traffic from been NATed on the router on UDP port 500 and
>>> port 4500 but yet still getting thesame error.
>>> Router Config:-
>>> int g0/1
>>> ip add 192.168.1.1 255.255.255.0
>>> ip add 197.x.x.x 255.255.255.248 sec
>>> ip nat inside
>>> 
>>> 
>>> CR:-
>>> Port  C
>>> ip add 197.x.x.y 255.255.255.248
>>> 
>>> Any pointers to what could be the issue will very much appreciated.
>>> 
>>> Thanks in advance.
>>> 
>>> 
>>> Blogs and organic groups at http://www.ccie.net
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net