Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
2
Replies

ISAKMP/IPSEC Stateful

paulsa3598
Level 1
Level 1

‎01-22-2007 07:32 PM - edited ‎03-11-2019 02:23 AM

Does anyone know if the process of creating phase 1 and phase 2 is a stateful connection or does it create a new connection somewhat like FTP?

Do you have link explaining it?

I have 2 firewalls, firewall A is Inet EDge, Firewall B is the VPN box.

Firewall A provides NAT for all outgoing traffic.ALl traffic goes out a PAT.

Traffic for the VPN incoming is established by using a policy NAT. Not a static. I see traffic for the tunnel hitting the vpn box but phase 2 is never established. I'm afarid phase 2 is using the PAT as the peer. Is this possible?

I know creating a static would solve my problem but I'm mostly interested in how the communication for the tunnel is completed.

Labels:
0 Helpful
2 Replies 2

vijayasankar
Level 4
Level 4

‎01-22-2007 09:54 PM

Hi,

If your devices support IpSec Nat Traversal, then there shouldn't be any issues in ipsec tunnel formation.

Check this url for explanation on how ipsec detects the existence of NAT along the path and how subsequent stages are handled in IPSec NAT Traversal feature.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm

Have you done any troubleshooting to capture some debug outputs, to examine what is going on during phase 1 and phase 2 attempts..

To troubleshoot further, you may have to capture some diagnostics command and debugs on the involved devices.

Hope this helps.

-VJ

0 Helpful

Fernando_Meza
Level 7
Level 7

‎01-23-2007 01:07 AM

Hi ..

Even using static translation .. if your end device does not support NAT-Transparency then you will not be able to establish the tunnel. The main reason is because NAT changes the IP header which results in mismatches between end points. NAT-Traversal overcomes this by encapsulating Ipsec packets on upper layer protocol such as UDP before the NAT header is added. In that way the original Ipsec packet is not modified in transit.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

I hope it helps .. please rate it if it does !!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card