https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773342#M8047 <P>Hi RJI,</P><P>&nbsp;</P><P>Thanks for the explanation. Got it. Is there any command to find the relevant Public IP for this private IP from the configuration.</P> Sat, 05 Jan 2019 01:57:24 GMT Srinivasan Nagarajan 2019-01-05T01:57:24Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773188#M8043 <P>Hi Experts,</P><P>&nbsp;</P><P>&nbsp;When using NAT-T, we're using Private address in the "<SPAN>match identity address" command. If we replace this private IP with the Public IP (1.2.3.4), the tunnel doesn't come up.</SPAN></P><P><SPAN>Can someone please assist how NAT-T working in the&nbsp;match identity address&nbsp;statements. Thanks in advance</SPAN></P><P>&nbsp;</P><P>Configs</P><P>====</P><P><SPAN>Hub-Router #</SPAN></P><P><SPAN>&nbsp;crypto keyring OUR_KEYRING</SPAN></P><P><SPAN>&nbsp; pre-shared-key address&nbsp;1.2.3.4&nbsp;key &lt;key&gt;</SPAN></P><P>&nbsp;</P><P><SPAN>crypto isakmp profile PROFILE_NAME</SPAN></P><P><SPAN>&nbsp;&nbsp; vrf TEST</SPAN></P><P><SPAN>&nbsp;&nbsp; keyring OUR_KEYRING</SPAN></P><P><SPAN>&nbsp;&nbsp; match identity address&nbsp;10.0.0.1&nbsp;255.255.255.255&nbsp; &nbsp; ------&gt;&gt;</SPAN></P><P>&nbsp;</P><P><SPAN>crypto map OUR_MAP&nbsp; ipsec-isakmp</SPAN></P><P><SPAN>&nbsp; set peer&nbsp;1.2.3.4</SPAN></P><P><SPAN>&nbsp; set isakmp-profile PROFILE_NAME</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Cheers,</SPAN></P><P><SPAN>Sri</SPAN></P> Fri, 21 Feb 2020 16:37:49 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773188#M8043 Srinivasan Nagarajan 2020-02-21T16:37:49Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773218#M8044 <P>Check this link&nbsp;</P><P><SPAN><A href="https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237" target="_blank">https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237</A></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN><A href="https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442" target="_blank">https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442</A></SPAN></P><P>&nbsp;</P><P><SPAN>just on site note ikev2 give you flexibility to use fqdn and email option in key container.</SPAN></P> Fri, 04 Jan 2019 19:20:50 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773218#M8044 Sheraz.Salim 2019-01-04T19:20:50Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773220#M8045 <P>Check this link&nbsp;</P><P><SPAN><A href="https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237" target="_blank">https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237</A></SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442" target="_blank">https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442</A></SPAN></P><P>&nbsp;</P><P><SPAN>just on site note ikev2 give you flexibility to use fqdn and email option in key container.</SPAN></P> Fri, 04 Jan 2019 19:21:19 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773220#M8045 Sheraz.Salim 2019-01-04T19:21:19Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773256#M8046 Hi,<BR />When the router is behind a nat device the original packet is natted and adds a new ip header (with the public IP address), which is subsequently removed on the receiving end device leaving the original private IP address. Therefore the identity of the remote router will always be the physical IP address of the device, as it would not know what the NATTED ip address would be.<BR /><BR />As suggested in the other comment if you use IKEv2, use either fqdn, email or even certificate then it does not matter about the IP address.<BR /><BR />HTH Fri, 04 Jan 2019 20:44:31 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773256#M8046 Rob Ingram 2019-01-04T20:44:31Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773342#M8047 <P>Hi RJI,</P><P>&nbsp;</P><P>Thanks for the explanation. Got it. Is there any command to find the relevant Public IP for this private IP from the configuration.</P> Sat, 05 Jan 2019 01:57:24 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773342#M8047 Srinivasan Nagarajan 2019-01-05T01:57:24Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773408#M8048 <P>If you on the router give a command&nbsp;</P><P>&nbsp;</P><P>show ip nat translation</P><P>show ip nat statistic&nbsp;</P><P>show ip nat translation | i x.x.x.x</P><P>&nbsp;</P><P>if on firewall</P><P>show conn adress x.x.x.x detail</P> Sat, 05 Jan 2019 09:53:57 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773408#M8048 Sheraz.Salim 2019-01-05T09:53:57Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773491#M8049 <P>Hi,</P><P>From one of the VPN peer routers, you can use the command <EM><STRONG>show crypto session detail</STRONG></EM>. This will identify the peer IP address (the public IP address) and the Phase_1 ID (the real/private IP address).</P><P>&nbsp;</P><P>R2#show crypto session detail<BR />Crypto session current status<BR /><BR />Code: C - IKE Configuration mode, D - Dead Peer Detection<BR />K - Keepalives, N - NAT-traversal, T - cTCP encapsulation<BR />X - IKE Extended Authentication, F - IKE Fragmentation<BR />R - IKE Auto Reconnect<BR /><BR />Interface: GigabitEthernet0/0<BR />Profile: ISAKMP_PROFILE<BR />Uptime: 00:00:07<BR />Session status: UP-ACTIVE<BR />Peer: <EM><STRONG>1.1.1.11</STRONG></EM> port 4500 fvrf: (none) ivrf: (none)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Phase1_id: <EM><STRONG>192.168.100.2</STRONG></EM></P><P>&nbsp;</P><P>You can actually set the identity of the peers using fqdn on ISAKMP, so you don't necessarily need to change to IKEv2. IKEv2 does allow other identities however.</P><P>&nbsp;</P><P>So you could identify the routers as per this example (instead of the address):-</P><P>&nbsp;</P><P><EM>crypto isakmp profile ISAKMP_PROFILE</EM><BR /><EM>&nbsp;&nbsp; keyring KEYRING</EM><BR /><EM>&nbsp;&nbsp; self-identity fqdn <STRONG>R2.lab.net</STRONG></EM><BR /><EM>&nbsp;&nbsp; match identity host domain lab.net</EM></P><P>&nbsp;</P><P>You would just change the self identity e.g R2.lab.net for each router</P><P>&nbsp;</P><P>The output of <EM><STRONG>show crypto session detail</STRONG></EM> would now identify the router's Phase_1 ID as the fqdn specified in the isakmp profile rather than the IP address.</P><P>&nbsp;</P><P>R2#sh crypto session&nbsp; detail<BR /><BR />Interface: GigabitEthernet0/0<BR />Profile: ISAKMP_PROFILE<BR />Uptime: 00:03:35<BR />Session status: UP-ACTIVE<BR />Peer: 1.1.1.11 port 4500 fvrf: (none) ivrf: (none)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Phase1_id: <EM><STRONG>R4.lab.net</STRONG></EM><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Desc: (none)<BR /><BR />HTH &nbsp;&nbsp;</P> Sat, 05 Jan 2019 15:19:12 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773491#M8049 Rob Ingram 2019-01-05T15:19:12Z https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773625#M8050 <P>Hi RJI,</P><P>&nbsp; Got it. Thank you very much. You're a Rock star <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 06 Jan 2019 06:40:42 GMT https://community.cisco.com/t5/network-security/ipsec-match-identity-address-with-nat-t/m-p/3773625#M8050 Srinivasan Nagarajan 2019-01-06T06:40:42Z