cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
512
Views
1
Helpful
9
Replies

IPsec over NAT444 issue

mrkassimi
Level 1
Level 1

Hello Everyone I have to set up an ipsec tunnel with Lo0 as source of tha tunnel. Nat is activated in My CE and in the ISP level (NAT444)
All ipsec and Nat configuration is ok but, and as I know that for the NAT to work correctly, the packet should pass via the inside and outside nat interface and vis-versa, so how can this happen if the target interface is a loopback ? I configured Loopback interface with nat inside but the tunnel still down with few log messages:

%IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxxxxxx Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: xxxxxx Protocol: 47 Port Range: 0-65535
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

My config:
#All ipsec config is Ok
interface TO-ISP
private ip // will be nated at the ISP side
ip nat outside
exit
interface lo0
ip adress x.x.x.x
ip nat inside
exit
interface tunnel77
tunnel source lo0 //other parameters
exit
ip nat inside source list ALLOW-LO0 interface TO-ISP overload
end

Does anyone know how to fix this issue please ?

9 Replies 9

M02@rt37
VIP
VIP

Hello @mrkassimi 

Loopback interfaces do not typically participate in NAT translations the way regular physical interfaces do. Even though you have configured ip nat inside on the loopback, the traffic isn't hitting the NAT process as expected, and this is likely why your tunnel is not coming up.

So, use a physical interface for NAT instead of the Loopback.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Thank you M02@rt37 for your quick feedback. sadly I can't use the WAN interface as source of my tunnel because it is configured with private ip which is not allowed in the remote peer and the process to order public ip is so long

so is there anyway to accomplish this ? can I, for example, tag the WAN interface with nat inside and outside in the same time

I have the option to request my ISP to directly NAT my loopback IP on their side (whithout doing nat in my CE). However, communication with the ISP is often time-consuming

Hello


@mrkassimi wrote:

I can't use the WAN interface as source of my tunnel because it is configured with private ip which is not allowed in the remote peer and the process to order public ip is so long


So if your wan interface has a non public routeable address and your sourcing your tunnel via the loopback how is the source reachable from the remote end of the tunnel-- via nat?

Can you elaborate?

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

As @paul driver mention' we need so.e more elaborate 

MHM

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @mrkassimi ,

you get a blocking error message at IKEv2 protocol exchange:

>> %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

for further troubleshooting you can follow this technote:

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

The suggested debug commands are :

deb crypto ikev2 packet
deb crypto ikev2 internal

From the first IKEv2 message we see:

>> %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxxxxxx Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: xxxxxx Protocol: 47 Port Range: 0-65535

The user traffic triggering the IKEv2 negotiation is GRE = IP protocol 47 is your tunnel 77 using GRE encapsulation ?

You need also to check NAT with

show ip nat translations

Use two parallel SSH sessions one with terminal monitor enabled to see the debug output and to collect it to a log file, in the other SSH session you can issue show commands and you can start and stop debugging.

You can also compare your configuration with the one in the technote.

Making IPSec to work using loopback is already difficult adding NAT creates additional problems.

NAT- T UDP 4500 has to be permitted on the path end to end and both VPN endpoints have to agree on using it.

Hope to help

Giuseppe

 

Hello everyone,

Thank you all for you feedback, as I mentioned before, the Nat is done in the ISP side and I have two option:

-to use Nat in my CE as well (result NAT444) but this is not possible regarding your previous feedback, since the packets process only one physical interface

-request my ISP to route and Nat my Loopback address. This process can be time-consuming, but I have no other option

 
 

Thanks alot for more information but still we don't know the NAT is effect the tunnel head or traffic pass via tunnel?

The tunnel head is effect by NAT if ipsec vpn pass through NATing device 

The traffic effect by NAT if you config NAT in same end of ipsec vpn, I. E. The interface config with crypto map there is command for IP nat outside 

MHM

Hello @MHM Cisco World 

there is no ip nat outside in my interface tunnel, nat outside is define in the WAN interface as mentioned in my first post :
interface Tunnel77
// other parameters
tunnel protection ipsec profile IPSECPROFILE

end

Sorry but if you NAT LO to ISP why you not use ISP as tunnel source directly ?

thanks 

MHM

Review Cisco Networking for a $25 gift card