IPSec on routers behind a nat device

Jonn cos · ‎11-30-2014

Hi all,

I have a very simple setup. I have 3 routers as shown below. ISP is translating R1's interface IP from 10.1.1.1 to 10.1.3.1

R1--Fas0/0-----------------------------------Fas0/0---ISP---Fas0/1------------------------------Fas0/1----R2

R1:

int fas0/0

ip add 10.1.1.1 255.255.255.0

ISP

int fas0/0

ip add 10.1.1.2 255.255.255.0

ip nat inside

int fas0/1

ip add 10.1.2.2 255.255.255.0

ip nat outside

ip nat inside source static 10.1.1.1 10.1.3.1

R2

int fas0/1

ip add 10.1.2.1 255.255.255.0

As you can see, ISP is translating R1 10.1.1.1 <-> 10.1.3.1. If i want to configure IPsec between R1 and R2, what shall i configure ?

Reza Sharifi · ‎11-30-2014

Hi,

All routers are using private IPs. So, there is no need for NAT.

To configure IPsec tunnel between the routers. Have a look at this doc:

http://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html

HTH

Jonn cos · ‎11-30-2014

This is a lab scenario and i want to test for my learning how IPSec would work in such a case.

I have tried it but IPSec doesnt work with standard configuration. Below is the configuration

I have configured 2 loopback. on R1: 100.1.1.1

on R2: 200.1.1.1

R1:

crypto isakmp policy 10

auth pre

enc des

hash md5

group 2

crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)

crypto ipsec transform-set test esp-des esp-md5-hmac

mode tunnel

access-list 101 permit ip host 100.1.1.1 host 200.1.1.1

crypto map test 10 ipsec-isakmp

mat address 101

set peer 10.1.1.1

set transform-set test

ip route 0.0.0.0 0.0.0.0 10.1.0.2

R2:

crypto isakmp policy 10

auth pre

enc des

hash md5

group 2

crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)

crypto ipsec transform-set test esp-des esp-md5-hmac

mode tunnel

access-list 101 permit ip host 200.1.1.1 host 100.1.1.1

crypto map test 10 ipsec-isakmp

mat address 101

set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)

set transform-set test

ip route 0.0.0.0 0.0.0.0 10.1.1.2

Now when i ping from R1:

ping 200.1.1.1 source 100.1.1.1

its not successful. Why doesnt it work any idea ?

Karsten Iwen · ‎11-30-2014

The crypto-config looks fine (the crypto map is also applies to R1s and R2s public interface?). But your default-routes are wrong. The next-hop has to be the ip of the ISP.

If it still doesn't work, you have to continue with "debug crypto isakmp".

Karsten Iwen · ‎11-30-2014

Is its a lab-scenario?

R2 needs to use the inside global address of R1 (which is 10.1.3.1) as a peer. And as long as UDP/500 and UDP/4500 are translated (which is in your scenario) then everything work the same as if there wouldn't be any NAT. At least when you run 12.2(8)T+ on your routers.