Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5811
Views
0
Helpful
2
Replies

IPSec protected tunnel via NAT

mihaivasc
Level 1
Level 1

‎05-21-2021 07:06 AM

Hello all,

I have the following scenario

RT1 wan private IP <--> RT2 nat - wan public IP <- internet -> RT3 wan public IP

 

I have to configure a point to point ipsec protected tunnel between RT1 and RT3.

RT2 is doing one to one nat from its wan public IP to the RT1 wan private IP (tested and seems to be working). ssh from RT3 to RT2 public IP land on RT1. So far so good.

 

A simple GRE tunnel between RT1 and RT3 works fine also. I can ping remote tunnel interfaces.

Once I add IPSec tunnel protection in the tunnel interfaces of RT1 and RT3 the communication fails. (tested both isakmp and ikev2 and also several parameters for transform set). Interesting is that tunnel interface on RT1 has protocol UP but for the one on RT3 protocol is DOWN

 

The most interesting fact is that if I migrate to site to site vpn without tunnel interfaces, but using crypto map and ACL the IPSec tunnel works just fine.

 

Debug crypto isakmp or ikv2 error shows only some generic messages and couldn't identify where the problem is:

 

--- during ISAKMP tests ---

May 21 12:55:42.720: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer ....)
May 21 12:55:42.720: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer ....)
May 21 12:55:52.495: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local ...., remote ....)
May 21 12:55:52.496: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 21 12:55:52.496: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 21 12:55:54.497: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is  detected. Use of MD5 by Crypto IKMP is denied
May 21 12:55:54.497: ISAKMP-ERROR: (0):failed to set SKEYID

---------------------

--- during IKEv2 tests ---

May 21 12:39:32.030: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
May 21 12:39:32.030: IKEv2-ERROR:Address type 2986272779 not supported

May 21 12:39:32.030: IKEv2-ERROR:: A supplied parameter is incorrect
May 21 12:39:32.038: IKEv2-ERROR:(SESSION ID = 34,SA ID = 1):: Failed to locate an item in the database
May 21 12:39:32.038: IKEv2-ERROR:(SESSION ID = 34,SA ID = 1):: Auth exchange failed
May 21 12:39:33.945: IKEv2-ERROR:Address type 2147505703 not supported

May 21 12:39:33.945: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
May 21 12:39:33.946: IKEv2-ERROR:Address type 2986272779 not supported

May 21 12:39:33.946: IKEv2-ERROR:: A supplied parameter is incorrect

---

 

Any ideas, hints?

Thanks a lot

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎05-21-2021 10:01 AM - edited ‎05-21-2021 10:01 AM

Hello,

 

this should work as long as the NAT includes UDP ports 500 and 4500 (which one to one NAT should do by default). Post the full configs of all three routers so we can check for any errors in there...

0 Helpful

mihaivasc
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2021 11:27 AM

Just to keep in mind that if I remove tunnel protect and tunnel mode ipsec ipv4 from the tunnel interfaces, the communication works.

Relevant config

---- R1 ----
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key T3st30 address A.B.84.19
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PROTECT
set security-association lifetime seconds 86400
set transform-set TS
!
!
interface Tunnel30
ip address 192.168.192.66 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination A.B.84.19
tunnel protection ipsec profile PROTECT
!
interface GigabitEthernet0/0/0
ip address 192.168.0.220 255.255.255.0
!

---- R2 ----

interface GigabitEthernet9
description WAN
ip address C.D.90.202 255.255.255.248
ip nat outside
!
interface Vlan251
description LAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
ip nat inside source static 192.168.0.220 interface GigabitEthernet9

!

 

---- R3 ----

crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key T3st30 address C.D.90.202
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PROTECT
set security-association lifetime seconds 86400
set transform-set TS
!
!
interface Tunnel30
ip address 192.168.192.65 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source A.B.84.19
tunnel mode ipsec ipv4
tunnel destination C.D.90.202
tunnel protection ipsec profile PROTECT
!
interface GigabitEthernet1
description WAN
ip address A.B.84.19 255.255.255.192
!

 

Thanks an lot

0 Helpful
Customers Also Viewed These Support Documents