03-20-2017 07:10 AM
I have a few ASA 5505's in some remote offices and they connect back to our corporate office Meraki firewall. They only work correctly when they use NatT. However, they don't always make a connection that way. They will frequently connect via IKEv1 IPsec which doesn't work. I have to connect via the ASDM, log out the VPN and then it will connect via IKEv1IPsecOverNatT.
My question is, is there a way to force the 5505's to always connect using NatT?
Eric
03-20-2017 07:55 AM
If you use ASDM:
- Configuration>Site-to-Site VPN>Advanced
- NAT transparency. (Check Enable IPsec over NAT-T)
- Optionally force to TCP with the Enable IPsec over TCP.
If you prefer the command line, in global configuration enter
crypto isakmp nat-traversal
03-21-2017 02:25 AM
Meraki MX doesn't support IPsec over TCP and NAT-T is very likely already enabled.
I don't think that you can force the usage of NAT-T. It's by design that the UDP-encapsulation is only used if NAT is detected.
I see two solutions:
03-21-2017 04:20 AM
This didn't work. The VPN's still try to connect via IKEv1 IPsec.
Eric
03-21-2017 04:16 AM
03-21-2017 04:21 AM
This isn't an option as the Meraki MX series firewall only support IkeV1.
Eric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide