01-04-2019 10:10 AM - edited 02-21-2020 08:37 AM
Hi Experts,
When using NAT-T, we're using Private address in the "match identity address" command. If we replace this private IP with the Public IP (1.2.3.4), the tunnel doesn't come up.
Can someone please assist how NAT-T working in the match identity address statements. Thanks in advance
Configs
====
Hub-Router #
crypto keyring OUR_KEYRING
pre-shared-key address 1.2.3.4 key <key>
crypto isakmp profile PROFILE_NAME
vrf TEST
keyring OUR_KEYRING
match identity address 10.0.0.1 255.255.255.255 ------>>
crypto map OUR_MAP ipsec-isakmp
set peer 1.2.3.4
set isakmp-profile PROFILE_NAME
Cheers,
Sri
Solved! Go to Solution.
01-04-2019 12:44 PM
01-04-2019 11:20 AM
Check this link
https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237
https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
just on site note ikev2 give you flexibility to use fqdn and email option in key container.
01-04-2019 11:21 AM
Check this link
https://community.cisco.com/t5/vpn-and-anyconnect/ikev2-with-nat-t-and-vrf-flexvpn/td-p/2491237
https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
just on site note ikev2 give you flexibility to use fqdn and email option in key container.
01-04-2019 12:44 PM
01-04-2019 05:57 PM
Hi RJI,
Thanks for the explanation. Got it. Is there any command to find the relevant Public IP for this private IP from the configuration.
01-05-2019 01:53 AM
If you on the router give a command
show ip nat translation
show ip nat statistic
show ip nat translation | i x.x.x.x
if on firewall
show conn adress x.x.x.x detail
01-05-2019 07:19 AM
Hi,
From one of the VPN peer routers, you can use the command show crypto session detail. This will identify the peer IP address (the public IP address) and the Phase_1 ID (the real/private IP address).
R2#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet0/0
Profile: ISAKMP_PROFILE
Uptime: 00:00:07
Session status: UP-ACTIVE
Peer: 1.1.1.11 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.100.2
You can actually set the identity of the peers using fqdn on ISAKMP, so you don't necessarily need to change to IKEv2. IKEv2 does allow other identities however.
So you could identify the routers as per this example (instead of the address):-
crypto isakmp profile ISAKMP_PROFILE
keyring KEYRING
self-identity fqdn R2.lab.net
match identity host domain lab.net
You would just change the self identity e.g R2.lab.net for each router
The output of show crypto session detail would now identify the router's Phase_1 ID as the fqdn specified in the isakmp profile rather than the IP address.
R2#sh crypto session detail
Interface: GigabitEthernet0/0
Profile: ISAKMP_PROFILE
Uptime: 00:03:35
Session status: UP-ACTIVE
Peer: 1.1.1.11 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: R4.lab.net
Desc: (none)
HTH
01-05-2019 10:40 PM
Hi RJI,
Got it. Thank you very much. You're a Rock star :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide