Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
2
Replies

IPSec Identity Address

Daniel Smith
Level 1
Level 1

‎05-17-2011 11:52 AM - edited ‎02-21-2020 05:21 PM

I have built a lab set up to test an encrypted GRE tunnel between my company and another. At our side, the router is in a DMZ, and the IP address (10.97.230.245) gets translated into a public IP as it hits the Internet. When I apply the IPSEC configuration, the tunnel breaks. Digging in to the issue, I see on the far end router, that the IP address associated with the IPSEC peering is still the 10.97.230.245, instead of its translated value. Is there something I need to do at the near end router (my side) so that it uses its' translated IP for the IPSEC session?

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-17-2011 01:57 PM

IKE doesn't require that IP address in the header to be equal ISAKMP identity.

Check if you have NAT-T enabled first of all. Than check where it breaks - check isakmp and ipsec debugs (both sides).

0 Helpful

Daniel Smith
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-24-2011 12:55 PM

After tweaking around a bit, I was not able to precisely re-create this situation. However, when I changed to IPSEC transport mode, all is now working.

0 Helpful
Customers Also Viewed These Support Documents