cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13068
Views
15
Helpful
8
Replies

IPSec VPN Tunnel with NAT

aducey01
Level 1
Level 1

I'm setting up a IPSec Tunnel between 3800 and  2600 routers over the internet.

Do I need to create a tunnel interface as they suggest in this document? 

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml#diag

I just watched a couple of you tube videos saying I don't need to do that...

1 Accepted Solution

Accepted Solutions

Hardik Vaidh
Level 1
Level 1

For IPSec no need to creat tunnel interface. you have to assing you peer IP and then push your packet via NAT.

check generic comfiguration of the IPsec site to site VPN

rypto isakmp policy 10

encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY  local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

Extended IP access list 100 (NAT Access list)

     deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11

     deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22

     permit ip any any

Please rate this if helpful

View solution in original post

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you're using static routes it's not mandatory but if you want to use EIGRP or OSPF to advertise subnets through your tunnel then you either need to do GRE over IPSec or if your IOS versions support it you can use a VTI interface:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

synbureau
Level 1
Level 1

If you are creating site-to-site tunnel between the two devices, you can apply the crypto map to your WAN interfaces and use public IPs to define the cryptomaps and shared key.

Thanks, that's what I'm trying to do.  I'm applying the crytpo map to my WAN interfaces and using public IP's.  I can't seem to get my tunnel to go into up-active.  It comes up with up-idle when I send traffic to it, but never active...

Hi,

can you post your config and how you initiate your tunnel.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello,

Regards your vpn,

1) make sure you have connection between your source and destination address which will be stated in your vpn tunnel prior to applying the encryption

2) if your peering your igp over the tunnel obviously it will not come up until the tunnel is established, again you can try and test this before applying the crytpo, so basically  establish a GRE Tunnel first

3) Natting from the inside to outside will be checked before the crypto map statements so again make sure connection is established prior to applying any crypto

4)your crypto isakmp policies/transform set/encryption/hash values/pre share key etc need to be the same on either site

5) the acl defined in your crypto map is the traffic you want to encrypt.

6) have you tried not using crypto maps and instead  VTI ( virtual Tunnel Interface  tunnel protection command)

Please post output from debug below and if possible as suggested a running config of your router.

debug crypto ipsec

debug crypto isakmp

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Your config will be helpful, so if you can add your config here it will be great

Hardik Vaidh
Level 1
Level 1

For IPSec no need to creat tunnel interface. you have to assing you peer IP and then push your packet via NAT.

check generic comfiguration of the IPsec site to site VPN

rypto isakmp policy 10

encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY  local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

Extended IP access list 100 (NAT Access list)

     deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11

     deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22

     permit ip any any

Please rate this if helpful

That worked...doing a deny on the interesting traffic in the nat statements.

Thanks!

Review Cisco Networking for a $25 gift card