Re: OT: IPsec Site to Site Tunnel behind NAT

Hi,

If the remote-end is behind a NAT device, It doesn't matter if you use a public IP locally, nat-t is still required.

Regards,
Cristian.

Sent from my iPhone

> On Jun 7, 2014, at 22:30, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>
> Buy a Cisco ASA or recommend one :)
>
> NAT-T is auto detected on IOS not sure on the UTM but according to RFC 3947 it should auto detect this feature during IKE phase I, so no configuration should be required
>
> Try removing your exclude NAT statement then debug on the router to see what the packets are doing....
>
> --
> BR
>
> Tony
>
>> On 7 Jun 2014, at 16:32, segs <michaelolusegunrufai_at_gmail.com> wrote:
>>
>> Thanks Tony for your response, but for some reasons i seem not to be
>> able to enable NAT-T on Cyberoam, the feature only works with remote
>> access from Cyberoam's documentation but would adding a remote-id and
>> local-id to both ends of the device terminating the tunnel be a valid
>> solution?
>>
>>> On 6/7/14, Tony Singh <mothafungla_at_gmail.com> wrote:
>>> Enable your Cyberoam for NAT-T and remove the NAT exclusion rule on the
>>> Router
>>>
>>> Your debugs suggest the Sonicwall has discovered a NAT device (I.e your
>>> Routers outside interface) and changed to main mode using UDP 4500
>>>
>>> --
>>> BR
>>>
>>> Tony
>>>
>>>> On 7 Jun 2014, at 15:33, segs <michaelolusegunrufai_at_gmail.com> wrote:
>>>>
>>>> Hello All,
>>>> Sorry for the OT, but been having issues setting up IPsec Site to Site
>>>> VPN behind a router configured for NAT. Below is the setup;
>>>>
>>>> LAN---->Cyberoam---->Router>>>internet>>>>SonicWall
>>>>
>>>> IPsec is terminated on the Cyberoam UTM as well as the SonicWall but
>>>> the VPN fails to connect and i get the following error below on the
>>>> Cyberoam UTM;
>>>>
>>>> Jun 05 19:07:57 packet from 31.221.21.170:500: ignoring unknown Vendor
>>>> ID payload [5b362bc820f60007]
>>>> Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>>> payload [RFC 3947] method set to=110
>>>> Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>>> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
>>>> method 110
>>>> Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>>> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
>>>> method 110
>>>> Jun 05 19:07:57 packet from 31.221.21.170:500: received Vendor ID
>>>> payload [draft-ietf-ipsec-nat-t-ike-00]
>>>> Jun 05 19:07:57 "Septa_VPN_London-7" #346: responding to Main Mode
>>>> Jun 05 19:07:57 "Septa_VPN_London-7" #346: transition from state
>>>> STATE_MAIN_R0 to state STATE_MAIN_R1
>>>> Jun 05 19:07:57 "Septa_VPN_London-7" #346: STATE_MAIN_R1: sent
>>>> MR1, expecting MI2
>>>>
>>>> and on checking on the internet seems to be an issue with NAT behind a
>>>> device terminating the IPsec VPN, and of which i have excluded the
>>>> IPsec VPN traffic from been NATed on the router on UDP port 500 and
>>>> port 4500 but yet still getting thesame error.
>>>> Router Config:-
>>>> int g0/1
>>>> ip add 192.168.1.1 255.255.255.0
>>>> ip add 197.x.x.x 255.255.255.248 sec
>>>> ip nat inside
>>>>
>>>>
>>>> CR:-
>>>> Port C
>>>> ip add 197.x.x.y 255.255.255.248
>>>>
>>>> Any pointers to what could be the issue will very much appreciated.
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 07 2014 - 16:43:13 ART