IPsec-NAT , Port UDP4500 and 500.

eng_adel273 · ‎04-10-2016

Dear Sir

The attached router configuration block port UDP4500 and 500.

Please check it and send your response

Thanks

Philip D'Ath · ‎04-11-2016

I don't understand your question.

Are you saying you can not VPN into the site, or perhaps are you saying users inside of the network can not VPN out to somewhere else?

eng_adel273 · ‎04-11-2016

Dear Philip

Thank you for your reply, yes the VPN traffic can't pass the router

Waiting for your response

Regards

Philip D'Ath · ‎04-11-2016

There is nothing in this config that will block outbound packets to UDP/500 or UDP/4500.

The router itself has IPSec configured on it, so responses coming back to the router from a NATed session may cause the router to also respond, so the remote end would have to be smart enough to handle that - but as long as the remote end is a semi-recent Cisco device it should have no issues.

If you still can not get it to look you need to take a look at the software versions being used on your device (not so likely to be the problem) and the remote device you are doing the VPN to.

eng_adel273 · ‎04-12-2016

Thanks for your feedback

Philip D'Ath · ‎04-12-2016

Your TCP dump shows you are getting packets from port UDP/500 and UDP/4500. So it is not getting blocked.

eng_adel273 · ‎04-13-2016

But the I could not establish IPsec tunnel , can you advice me please

Philip D'Ath · ‎04-13-2016

There is nothing wrong with the config on your end, and the packet trace shows the traffic is arriving at the remote end.

It is the remote end with the issue. Is this a Cisco device that you have control over? If not, then there is nothing we can do to fix there problem.

eng_adel273 · ‎04-13-2016

I attached the network diagram

Philip D'Ath · ‎04-14-2016

Now it has become clearer. Are the VPNs actually between these CyberRoam devices?

If so, you already have a VPN configured on your Cisco device. You can't configure a VPN on it, and also ask it to port forward that same traffic to another device.

If you want the VPN to work between the CyberRoam devices then remove the VPN on your Cisco device.

eng_adel273 · ‎04-16-2016

Thank you for your support

I attached the configuration for routers 192.168.20.4 & 192.168.10.2

the another cisco router 192.169.10.2 accepted the vpn with other router not 192.168.20.4

Why this and the 192.168.10.2 has same vpn configuration like 192.168.20.4

How to stop the vpn ipsec on 192.168.20.4 , does it affect to access the public ips

thanks

eng_adel273 · ‎04-16-2016

How can we make the site - to site VPN though two cisco router

Philip D'Ath · ‎04-17-2016

I don't know what kind of routers you have, but perhaps take a look at my config wizard for Cisco 890 series routers, and extract out the bits relating to VPNs for your scenario.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

If you have a much older router, perhaps try the 870 wizard instead.

http://www.ifm.net.nz/cookbooks/800-isr-wizard.html

eng_adel273 · ‎04-17-2016

Dear Sir

Attached the model & Dailer0 configuration .

If the VPN IPSec is not enable , why didn't accept the connection with Cyberoam

Thanks

Philip D'Ath · ‎04-18-2016

Take a look at "interface Virtual-Template1 type tunnel" - you do have crypto enabled. You just are not using the older style crypto map.