Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9957
Views
15
Helpful
7
Replies

IPSEC- Match identity address with NAT-T

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎01-04-2019 10:10 AM - edited ‎02-21-2020 08:37 AM

Hi Experts,

 

 When using NAT-T, we're using Private address in the "match identity address" command. If we replace this private IP with the Public IP (1.2.3.4), the tunnel doesn't come up.

Can someone please assist how NAT-T working in the match identity address statements. Thanks in advance

 

Configs

====

Hub-Router #

 crypto keyring OUR_KEYRING

  pre-shared-key address 1.2.3.4 key <key>

 

crypto isakmp profile PROFILE_NAME

   vrf TEST

   keyring OUR_KEYRING

   match identity address 10.0.0.1 255.255.255.255    ------>>

 

crypto map OUR_MAP  ipsec-isakmp

  set peer 1.2.3.4

  set isakmp-profile PROFILE_NAME

 

 

Cheers,

Sri

3 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-04-2019 12:44 PM

Hi,
When the router is behind a nat device the original packet is natted and adds a new ip header (with the public IP address), which is subsequently removed on the receiving end device leaving the original private IP address. Therefore the identity of the remote router will always be the physical IP address of the device, as it would not know what the NATTED ip address would be.

As suggested in the other comment if you use IKEv2, use either fqdn, email or even certificate then it does not matter about the IP address.

HTH

View solution in original post

7 Replies 7

Go to solution
Sheraz.Salim
VIP
VIP

‎01-04-2019 11:20 AM

Check this link 

https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237

 

 

https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

 

just on site note ikev2 give you flexibility to use fqdn and email option in key container.

please do not forget to rate.
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎01-04-2019 11:21 AM

Check this link 

https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237

 

https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

 

just on site note ikev2 give you flexibility to use fqdn and email option in key container.

please do not forget to rate.

Go to solution
Rob Ingram
VIP
VIP

‎01-04-2019 12:44 PM

Hi,
When the router is behind a nat device the original packet is natted and adds a new ip header (with the public IP address), which is subsequently removed on the receiving end device leaving the original private IP address. Therefore the identity of the remote router will always be the physical IP address of the device, as it would not know what the NATTED ip address would be.

As suggested in the other comment if you use IKEv2, use either fqdn, email or even certificate then it does not matter about the IP address.

HTH

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-04-2019 05:57 PM

Hi RJI,

 

Thanks for the explanation. Got it. Is there any command to find the relevant Public IP for this private IP from the configuration.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Srinivasan Nagarajan

‎01-05-2019 01:53 AM

If you on the router give a command 

 

show ip nat translation

show ip nat statistic 

show ip nat translation | i x.x.x.x

 

if on firewall

show conn adress x.x.x.x detail

please do not forget to rate.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Srinivasan Nagarajan

‎01-05-2019 07:19 AM

Hi,

From one of the VPN peer routers, you can use the command show crypto session detail. This will identify the peer IP address (the public IP address) and the Phase_1 ID (the real/private IP address).

 

R2#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: GigabitEthernet0/0
Profile: ISAKMP_PROFILE
Uptime: 00:00:07
Session status: UP-ACTIVE
Peer: 1.1.1.11 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 192.168.100.2

 

You can actually set the identity of the peers using fqdn on ISAKMP, so you don't necessarily need to change to IKEv2. IKEv2 does allow other identities however.

 

So you could identify the routers as per this example (instead of the address):-

 

crypto isakmp profile ISAKMP_PROFILE
   keyring KEYRING
   self-identity fqdn R2.lab.net
   match identity host domain lab.net

 

You would just change the self identity e.g R2.lab.net for each router

 

The output of show crypto session detail would now identify the router's Phase_1 ID as the fqdn specified in the isakmp profile rather than the IP address.

 

R2#sh crypto session  detail

Interface: GigabitEthernet0/0
Profile: ISAKMP_PROFILE
Uptime: 00:03:35
Session status: UP-ACTIVE
Peer: 1.1.1.11 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: R4.lab.net
      Desc: (none)

HTH   

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Rob Ingram

‎01-05-2019 10:40 PM

Hi RJI,

  Got it. Thank you very much. You're a Rock star :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card