cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2540
Views
0
Helpful
5
Replies

IKEv1 IPsecOverNatT

Eric Stein
Level 1
Level 1

I have a few ASA 5505's in some remote offices and they connect back to our corporate office Meraki firewall.  They only work correctly when they use NatT.  However, they don't always make a connection that way.  They will frequently connect via IKEv1 IPsec which doesn't work.  I have to connect via the ASDM, log out the VPN and then it will connect via IKEv1IPsecOverNatT.

My question is, is there a way to force the 5505's to always connect using NatT?

Eric

5 Replies 5

Michael Beck
Level 1
Level 1

If you use ASDM:

- Configuration>Site-to-Site VPN>Advanced

- NAT transparency. (Check Enable IPsec over NAT-T)

- Optionally force to TCP with the Enable IPsec over TCP.

If you prefer the command line, in global configuration enter

crypto isakmp nat-traversal

Meraki MX doesn't support IPsec over TCP and NAT-T is very likely already enabled.

I don't think that you can force the usage of NAT-T. It's by design that the UDP-encapsulation is only used if NAT is detected.

I see two solutions:

  1. Put your remote ASAs behind a NAT-router as it's often done in HO/SO environment. Then the connection will always be used with an UDP-encapsulation. Personally I wouldn't like that approach.
  2. Open a case with Cisco/Meraki and solve the real problem that it doesn't work. That should be the best option. You can open that case directly from the Meraki Dashboard.

This didn't work.  The VPN's still try to connect via IKEv1 IPsec.

Eric

willieaames25
Level 1
Level 1

Use ikev2 then?

This isn't an option as the Meraki MX series firewall only support IkeV1.

Eric