Hi to All,
I am presently trying to establish a GRE tunnel/IPsec over an IP network using static NAT and STATIC PAT.
Here is the network that I am using to build the GRE Tunnel/IPsec.
THe only way that I am able to establish this tunnel is when I am using an ESP Transport mode. There is no way
of establishing this tunnel when I am using an ESP Tunnel mode. Here is a part of the debug ISAKMP output from R5
SAKMP: Looking for a matching key for 11.11.22.5 in default : success 715
ISAKMP (0:7): found peer pre-shared key matching 11.11.22.5
ISAKMP (0:7) local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP (0:7): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
SAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
SAKMP (0:7): atts are acceptable. Next payload is 0
ISAKMP (0:7): processing vendor id payload
ISAKMP (0:7): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0:7): vendor ID is NAT-T v7
ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP (7): Total payload length: 12
ISAKMP (0:7): sending packet to 11.11.22.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP (0:7): Old State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (0:7): received packet from 11.11.22.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
ISAKMP (0:7): processing ID payload. message ID = 0
ISAKMP (0:7): ID payload
next-payload : 8
type : 1
address : 173.30.0.70
protocol : 17
port : 0
length : 12
ISAKMP (0:7): processing HASH payload. message ID = 0
ISAKMP (0:7): SA authentication status: authenticated
ISAKMP (0:7): SA has been authenticated with 11.11.22.5
ISAKMP: Created a peer struct for 11.11.22.5, peer port 4500
ISAKMP: Locking peer struct 0x63C23A3C, IKE refcount 1 for from crypto_ikmp_udp_enc_ike_init
ISAKMP (0:7): Setting UDP ENC peer struct 0x63CC1D58 sa= 0x63D9B640
ISAKMP (0:7): peer matches *none* of the profiles
ISAKMP (0:7): beginning Quick Mode exchange, M-ID of 517994909
ISAKMP (0:7): sending packet to 11.11.22.5 my_port 4500 peer_port 4500 (I) QM_IDLE
ISAKMP (0:7): Node 517994909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP (0:7): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP (0:7): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (0:7): received packet from 11.11.22.5 dport 4500 sport 4500 Global (I) QM_IDLE
ISAKMP: set new node 515197326 to QM_IDLE
ISAKMP (0:7): processing HASH payload. message ID = 515197326
ISAKMP (0:7): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1307395945, message ID = 515197326, sa = 63D9B640
ISAKMP (0:7): deleting spi 1307395945 message ID = 517994909
ISAKMP (0:7): deleting node 517994909 error TRUE reason "delete_larval"
ISAKMP (0:7): deleting node 515197326 error FALSE reason "informational (in) state 1"
ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP (0:7): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Question
Is there any special reason why transporting a GRE/IPsec tunnel with the ESP tunnel mode. I have found
many Cisco links where this seems possible. I just do not understand why this is not working in my setup.
My understanding of ESP, it can be wrong, is that there is no authentication on IP addess or UDP port,so
using tunnel or transport mode to transport a GRE tunnel/IPsec over network using NAT and PAT should be transparent.
I do not found a similar issue when I am only transporting ESP traffic over NAT and PAT network.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
Question 2:
The GRE/IPsec tunnel can also only be establish with IPSec NAT Transparency (ESP traffic get re-incapsulate into UDP 4500) I just cannot establish a GRE/IPsec tunnel with NAT transparency disable (no crypto ipsec nat-transparency udp-encaps) even if the whole network is aware of IPsec by using the wo following commands:
ip nat inside source static esp 173.30.0.70 interface interface
ip nat inside source static udp 173.30.0.70 500 interface interface 500
It seems that I cannot establish a GRE tunnel with NAT Transparency disable using tunnel or transport mode.
Here is a debug crypto isakmp output
ISAKMP (0:1): received packet from 192.168.1.79 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -1581622824 to QM_IDLE
ISAKMP (0:1): processing HASH payload. message ID = -1581622824
ISAKMP (0:1): processing SA payload. message ID = -1581622824
ISAKMP (0:1): Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0:1): atts are acceptable.
ISAKMP (0:1): IPSec policy invalidated proposal
ISAKMP (0:1): phase 2 SA policy not acceptable! (local 173.30.0.70 remote 192.168.1.79)
ISAKMP: set new node 1242946879 to QM_IDLE
ISAKMP (0:1): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3spi 1674024756, message ID = 1242946879
sending packet to 192.168.1.79 my_port 500 peer_port 500 (R) QM_IDLE
purging node 1242946879
deleting node -1581622824 error TRUE reason "quick mode rejected"
Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -1581622824: state = IKE_QM_READY
Node -1581622824, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_READY New State = IKE_QM_READY
Thanks for your help
Stephane
