09-20-2024 05:17 AM
Hello Everyone I have to set up an ipsec tunnel with Lo0 as source of tha tunnel. Nat is activated in My CE and in the ISP level (NAT444)
All ipsec and Nat configuration is ok but, and as I know that for the NAT to work correctly, the packet should pass via the inside and outside nat interface and vis-versa, so how can this happen if the target interface is a loopback ? I configured Loopback interface with nat inside but the tunnel still down with few log messages:
%IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxxxxxx Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: xxxxxx Protocol: 47 Port Range: 0-65535
%IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
My config:
#All ipsec config is Ok
interface TO-ISP
private ip // will be nated at the ISP side
ip nat outside
exit
interface lo0
ip adress x.x.x.x
ip nat inside
exit
interface tunnel77
tunnel source lo0 //other parameters
exit
ip nat inside source list ALLOW-LO0 interface TO-ISP overload
end
Does anyone know how to fix this issue please ?
09-20-2024 06:38 AM
Hello @mrkassimi
Loopback interfaces do not typically participate in NAT translations the way regular physical interfaces do. Even though you have configured ip nat inside on the loopback, the traffic isn't hitting the NAT process as expected, and this is likely why your tunnel is not coming up.
So, use a physical interface for NAT instead of the Loopback.
09-20-2024 07:04 AM - edited 09-20-2024 10:42 AM
Thank you M02@rt37 for your quick feedback. sadly I can't use the WAN interface as source of my tunnel because it is configured with private ip which is not allowed in the remote peer and the process to order public ip is so long
so is there anyway to accomplish this ? can I, for example, tag the WAN interface with nat inside and outside in the same time
09-20-2024 02:53 PM - edited 09-20-2024 02:54 PM
Hello
@mrkassimi wrote:
I can't use the WAN interface as source of my tunnel because it is configured with private ip which is not allowed in the remote peer and the process to order public ip is so long
So if your wan interface has a non public routeable address and your sourcing your tunnel via the loopback how is the source reachable from the remote end of the tunnel-- via nat?
Can you elaborate?
09-21-2024 04:06 AM
As @paul driver mention' we need so.e more elaborate
MHM
09-21-2024 09:23 PM
Hello @mrkassimi ,
you get a blocking error message at IKEv2 protocol exchange:
>> %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
for further troubleshooting you can follow this technote:
The suggested debug commands are :
deb crypto ikev2 packet
deb crypto ikev2 internal
From the first IKEv2 message we see:
>> %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxxxxxx Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: xxxxxx Protocol: 47 Port Range: 0-65535
The user traffic triggering the IKEv2 negotiation is GRE = IP protocol 47 is your tunnel 77 using GRE encapsulation ?
You need also to check NAT with
show ip nat translations
Use two parallel SSH sessions one with terminal monitor enabled to see the debug output and to collect it to a log file, in the other SSH session you can issue show commands and you can start and stop debugging.
You can also compare your configuration with the one in the technote.
Making IPSec to work using loopback is already difficult adding NAT creates additional problems.
NAT- T UDP 4500 has to be permitted on the path end to end and both VPN endpoints have to agree on using it.
Hope to help
Giuseppe
09-23-2024 02:32 AM
Hello everyone,
Thank you all for you feedback, as I mentioned before, the Nat is done in the ISP side and I have two option:
-to use Nat in my CE as well (result NAT444) but this is not possible regarding your previous feedback, since the packets process only one physical interface
-request my ISP to route and Nat my Loopback address. This process can be time-consuming, but I have no other option
09-23-2024 03:12 AM
Thanks alot for more information but still we don't know the NAT is effect the tunnel head or traffic pass via tunnel?
The tunnel head is effect by NAT if ipsec vpn pass through NATing device
The traffic effect by NAT if you config NAT in same end of ipsec vpn, I. E. The interface config with crypto map there is command for IP nat outside
MHM
10-03-2024 01:37 PM
Hello @MHM Cisco World
there is no ip nat outside in my interface tunnel, nat outside is define in the WAN interface as mentioned in my first post :
interface Tunnel77
// other parameters
tunnel protection ipsec profile IPSECPROFILE
end
10-03-2024 11:27 PM
Sorry but if you NAT LO to ISP why you not use ISP as tunnel source directly ?
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide