Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
5
Helpful
3
Replies

Cisco VPN problem behind ISP Modem

poorprince
Level 1
Level 1

‎03-21-2011 01:20 PM

HI..

I am facing problem while connecting my VPN server configure at UC540 device. this device is behind my ISP router. i applied port forwording of IPSEC traffice to my cisco device  which configured as vpn server. now if i try to connect with my Live IP i get the following error


-----------  show crypto session detail  -----------

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/0
Profile: sdm-ike-profile-1
Session status: DOWN-NEGOTIATING
Peer: 124.109.38.91 port 2946 fvrf: (none) ivrf: (none)
      Phase1_id: EZVPN_GROUP_1
      Desc: (none)
  IKE SA: local 192.168.0.116/500 remote 124.109.38.91/2946 Inactive
          Capabilities:(none) connid:2034 lifetime:0

......................................................................................

192.168.0.116 is my cisco wan IP i added this IP in DMZ list of my ISP Modem and also forworded IPSEC trafic on it....

but still its not working,:(

I test if i connect using 192.168.0.116 internally it works but if i try to connect using my Live IP it trying and trying but not connect....

Please help me what i am missing....

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-21-2011 02:00 PM

There are 2 things that you would need to check:

1) On the VPN server, pls makes sure that NAT-T (NAT-Traversal) is enabled. This will allow phase 2 (ESP packet) to be encapsulated into UDP/4500

2) On the ISP modem, pls makes sure that you port forward both UDP/500 and UDP/4500.

Hope this helps.

poorprince
Level 1
Level 1
In response to Jennifer Halim

‎03-21-2011 02:52 PM

4500 UDP port forwording is applied but how to enable nat-t...whats it command for cisco device..

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to poorprince

‎03-21-2011 03:21 PM

Do you mind sharing the Cisco router config? just want to double check the config, and also, when you try to connect, can you please share the following

debug output:

debug cry isa

debug cry ipsec

Also, the following show command:

show cry isa sa

show cry ipsec sa

0 Helpful
Customers Also Viewed These Support Documents