pix 2 vpn3000 NAT-T

knudsen-s · ‎06-10-2003

Dear All,

I have a bit of a problem with one site that is running NAT-T. The problem is that it is never komming up.

It seams like it is ok, and it has detekted that it need NAT-T, but then it delets IT.

here is my trace:

AGENT-REK1# sh debug

AGENT-REK1# cofn t

Type help or '?' for a list of available commands.

AGENT-REK1# conf t

AGENT-REK1(config)# debug crypto isakmp

AGENT-REK1(config)# debug crypto eng

AGENT-REK1(config)# debug crypto ipsec

AGENT-REK1(config)# term mon

111008: User 'enable_15' executed the 'terminal mon' command.

AGENT-REK1(config)# sh crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

111009: User 'enable_15' executed cmd: show crypto isakmp sa

AGENT-REK1(config)#

609002: Teardown local-host inside:10.20.0.2 duration 0:05:01

609001: Built local-host inside:10.20.0.2

302015: Built outbound UDP connection 6 for outside:10.1.1.1/123 (10.1.1.1/123) to inside:10.20.0.2/123 (10.20.0.2/123)

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

702303: sa_request, (key eng. msg.) src= 10.27.38.250, dest= 212.130.29.209, src_proxy= 10.20.0.0/255.255.255.252/0/0 (type=4), dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:212.130.29.209, dest:10.27.38.250 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:212.130.29.209, dest:10.27.38.250 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match MINE hash

hash received: 7b bf 5 22 5c 69 46 8a ec b0 6e 11 e5 86 9f 2d

my nat hash : 64 7b c6 5c 86 13 25 75 24 8f cc 9c d0 e0 57 bc

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match HIS hash

hash received: 58 ea b0 6e 19 c5 b6 ec f7 9c 0 1a 57 38 69 9e

his nat hash : b8 8a 3d 52 35 d7 e9 da b6 c8 d1 a0 97 36 15 33

ISAKMP: Created a peer struct for 212.130.29.209, peer port 37905

ISAKMP: Locking UDP_ENC struct 0x9e7f6c from crypto_ikmp_udp_enc_ike_init, count 1

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

710005: UDP request discarded from 200.165.16.16/63148 to outside:10.27.38.250/netbios-ns

IPSEC(key_engine): request timer fired: count = 1,

702303: sa_request, (key eng. msg.) src= 10.27.38.250, dest= 212.130.29.209, src_proxy= 10.20.0.0/255.255.255.252/0/0 (type=4), dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

(identity) local= 10.27.38.250, remote= 212.130.29.209,

local_proxy= 10.20.0.0/255.255.255.252/0/0 (type=4),

remote_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1)

ISADB: reaper checking SA 0xaa6924, conn_id = 0

ISAKMP (0): deleting SA: src 10.27.38.250, dst 212.130.29.209

ISADB: reaper checking SA 0xaa6924, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 212.130.29.209/4500 not found - peers:0

ISAKMP: Unlocking UDP ENC struct 0x9e7f6c from isadb_free_isakmp_sa,

Any idee ?

drolemc · ‎06-16-2003

NAT-T was not supported on the PIX firewall till december last year (that was when I looking for this functionality). This is a new feture and only 6.3 seems to support it (and some 6.2 images such as 6.2(2.132) ). What you need to do is to make sure that the image running on your firewall supports NAT-T.

knudsen-s · ‎06-17-2003

it is running 6.3, and I know that but that is not a solution.

If you look in the debug you can se it is supporting NAT-T on the lines my hash your hach.