01-06-2003 11:42 AM - edited 02-21-2020 12:15 PM
Hello,
Setup:
Cisco VPN Client (3.1) running on Win 2K Pro ->
MS ISA Server (proper protocol defs. and rules are in place and active; remote network has an entry in the LAT)->
Internet->
Cisco Concentrator 3000 (remote network, I do not admin this device)
Problem:
I am able to authenticate to the remote network, I can see in the VPN Client status that I am assigned an IP address. By doing 'ipconfig /all' I see that my DNS servers have been changed to match those of the remote network. However, I am unable to access ANY remote network resources. I can't even ping the remote DNS servers.
It's my understanding that if IPSec through NAT is enabled both on the client and the concentrator, all data will pass through the tunnel created. I have this enabled on the client end, but when I look at the status of the connection it says: "IPSec through NAT: Inactive." This leads me to believe that NAT-T is not enabled on the concentrator, am I mistaken in this assumption?
Any help is appreciated.
Thanks,
Dave
01-06-2003 12:26 PM
Hi Dave,
IPSec over UDP needs to be enabled on the client as well on the concentrator. If you have it enabled it on the client but it is not active, then make sure that it is also enabled on the concentrator as well. You mentioned that you do not administer the VPN concentrator, so you would probably need to involve the admin of the concentrator to troubleshoot it
Jazib
01-06-2003 12:32 PM
Hi Jazib, thanks for replying. I have contacted the admin of the concentrator, he says that it is enabled. Is there any way I can confirm this from my end? Like I said, when I am connected the status shows that IPSec over UDP is 'Inactive', port is '0'. I can provide a screenshot of the status screen if necessary.
Also, there may be a breakdown in communication between myself and the concentrator admin. Is IPSec over UDP the same as NAT-T? NAT-T is transparant NAT? Just want to make sure my lingo is correct before I contact the concentrator admin [again].
Thanks,
Dave
01-06-2003 12:45 PM
Hi Dave,
NAT-T is very similar in characteristics as IPSec over UDP. You can either use IPSec over UDP or NAT-T. NAT-T is a pretty new feature, so make sure that you are running atleast 3.6(x) code on the client and the concentrator.
To find out if you are using IPSEC over UDP or NAT-T, you can enable log viewer on the client and set the severity of all the classes to High.
If using IPSec over UDP, and if it is enabled on both devices, then you should see something similar on Log Viewer:
66 15:39:19.700 01/06/03 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
If you are using NAT-T, then you will see that NAT-T is getting negotiated in the log Viewer as well
Also, ask your concentrator admin, what he sees as the encryption protocol for your IPSec session. If you are using NAT-T, it will show NAT-T there.. If you are using IPSec over UDP then it will show you that. If you are not using either of them, it will just say IPSec for the encryption protocol
Hope that helps
Jazib
01-06-2003 01:08 PM
Jazib, thank you very much for helping. I don't see anything about UDP_NAT in the LOG when I connect with IPSec over UDP enabled, that should tell me that IPSec over UDP is not enabled on the concentrator end, correct?
I'm not sure which version the concentrator is, but the client version they gave me is 3.1. The client software has no mention of NAT-T, just IPSec over UDP.
Thanks again for sticking with me on this.
Dave
01-06-2003 01:48 PM
This is what the concentrator admin told me when I inquired about the settings on his end:
---begin paste---
Here are the configured settings when connecting externally
encryption 168-bit 3-DES
authentication HMAC-MD5
IPSEC THROUGH NAT - ACTIVE
Nat port 10000
---end paste---
My limited knowledge of Cisco concentrators tells me that this is not the settings for IPsec over UDP.
01-07-2003 09:49 AM
Dave,
I am assuming that these are the stats from one of the VPN sessions which had IPSec over UDP enabled. You have to find out from your concentrator admin if you are also connecting to the same group as this user.
Jazib
01-06-2003 01:49 PM
Hi Dave,
If you are not seeing the UDP_NAT mesages, then your concentrator is not properly setup. You have to ask your admin to either check the config on the concentrator to make sure that it is enabled, or get the logs from the concentrator with the IKE, IKEDBG,IPSEC and IPSECDBG severity set to 1-13
Thanks
Jazib
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide