I have 2 doubts:
I have create an IP SEC tunnel like this (look at the diagram). http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html
Is an easy tunnel but there is a think that I can't understand. Router A and Router B makes NAT translations. ¿This is a NAT-T IPsec tunnel? The traffic between 10.1.1.0 and 172.16.0.2 works well but I have not include any command like "crypto isakmp nat-traversal".
I can Ping any host from Router A to the LAN network of router B and I can ping any host from Router B to the LAN network of router A.
But I can't ping Router A from Router B and I can't ping Router B from router A (I have tryed using the command "source IP). ¿Why I can't ping the LAN router interfaces from the other side?
Thanks for your help.
Solved! Go to Solution.
To understand NAT-T. Let take the following example,
In this example, the initiator’s IP address, 22.214.171.124, which has been dynamically assigned to the device, is hidden by the NAT device and translated to 126.96.36.199.
Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets. After detecting one or more NAT devices along the datapath during Phase 1 exchanges, NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port.
2) ABOUT ICMP
What are the IP's at your Router A and Router B (which you are using as a source IP) from which you are trying to ping and what is the VPN intreasted traffic? Can you post the configuration of both routers if possible?
In my configuration (like the link http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html ) I have the port 4500... It uses NAT-T...
But I don't understand why it works with any command like "isakmp nat-traversal". ¿Is not necesary this command?
My conf is exactly like the link. The ICMP not works between 10.1.1.2 and 172.16.2.1. But it works between 10.1.1.2 and 172.16.2.2, for example(a remote host). Is a traffic matched by the ACL.