02-28-2006 05:49 AM - edited 02-21-2020 02:17 PM
Hi to all!
I've the following situation:
6509 MSFC (DMVPN Hub)-->VPN SPA-->FWSM-->Outside port-->Outside DMVPN Spoke.
Hub has address 172.19.10.21 (I've correctly configured BITW with VPN SPA). This address is NATted with static Nat on 192.168.115.4 outside address on FWSM. The spoke router has address 192.168.115.254. I've configured FWSM ACLs to permit in two directions ESP on port 500 and ESP over UDP with NAT-T on port 4500. When I bring up tunnel interface, Isakmp phase 1 goes well, but in phase 2 negotiation, debug says:
1w3d: ISAKMP:(0:1:HW:2):SA authentication status:
1w3d: ISAKMP:(0:1:HW:2): authenticated
1w3d: IPSEC(validate_transform_proposal): proxy identities not supported
1w3d: ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
1w3d: ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local 172.19.10.21 remote 192.168.115.254)
All endpoints are compatible with IPSEC Nat-T...how can I solve the problem ???
Thanks in advance!
Gilberto
03-06-2006 09:19 AM
May be if you configure something like "nat (inside) 0 0.0.0.0 0.0.0.0" , you can replace it with static statements (for all internal networks) like:
static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x
03-09-2006 09:30 PM
I'm not sure that a DMVPN hub can be NAT'ed, statically or otherwise. Spokes can, but I haven't seen any examples supporting a NAT'ed hub. Logically, it should be possible to statically NAT a hub, bit that doesn't mean it actually works. There are also a number of restrictions on DMVPN in a 6500, you might want to check your compatibility:
04-06-2006 09:58 AM
Hi Gilberto,
I am having a similar issue as you. I am also using a FWSM, MSFC and mutiple spoke routers, and I am having a Phase 2 failure also ... Do you get your isssue fixed?
- Paul
04-11-2006 05:55 AM
Hello everybody in this case.
I had similar problem, but my hub site is not on MSFC, but on other router, which is staticaly NATed by firewall.
Just according document attached by mflanigan, I updated IOS on hub and spoke and configured my routers with transport ipsec mode.
I will attach result document about my situation and results. I am not sure, if it can help to you (you have hub directly on MSFC).
Main problem is, that IPSec try establish tunnel for PROXY eddresses and this address in not changed by NAT if it is tunnel mode (encapsulated in new headers). But in case trasnport mode, proxy addresses can be changed by NAT.
If my update help, just let me know ...
Regards,
Vladimir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide