GRE Tunnel with IPSEC Protection behind NAT

Robert Craig · ‎02-12-2015

I have a DMVPN spoke behind an ASA. The ASA is performing nat for this site. Is there anything special that I need to do on the spoke side to keep the tunnel stable? It stays up for about 3 or 4 minutes, then drops for 30 seconds, then back up again. I can see a peer trying to establish on the hub "show crpyto isakmp sa" with the public IP of the spoke, but when the tunnel drops, it is trying to form an SA with the private IP of the spoke router. I've tried using "mode transport" on the transform set, but that just breaks the tunnel completely. Any help is appreciated.

Robert

AllertGen · ‎02-13-2015

Hello, Robert Craig.

Does your ASA use NAT only for one spoke? Or there is anothers too? Did you use "mode transport" only at the spoke side (you should use it at the hub first and after this you should use this command at the spokes)? If "mode transport" not works you can try configure PAT at your ASA for this router.

Best Regards.

Robert Craig · ‎02-13-2015

No, there is only one spoke behind the ASA at this site. I only used "mode transport" at the spoke side, but haven't tried using it at the hub first. I might just have to do a PAT on the ASA. If I end up doing a PAT, would it be UDP 500?

Robert

AllertGen · ‎02-13-2015

Hi, Robert Craig.

At first try to make a "mode transport" at the hub. By manuals there is information that you need to do it first at the hub and only after this at the spokes.

For PAT it will be 500 UDP (but if it won't be anough than 4500 UDP, AH and ESP protocols).

Best Regards.

Robert Craig · ‎02-13-2015

OK, I added "mode transport" at the hub, no effect. I can still see the tunnel drop and a peer trying to form with the private IP. Think I should add it at the spoke now and see how it performs?

Robert

Robert Craig · ‎02-13-2015

OK, I added mode transport on both the hub and the spoke. The tunnel is staying up now. Thanks for the tip!

Robert