11-28-2002 03:02 AM - edited 02-21-2020 12:12 PM
Hello all
On IOS 12.2.13T IPSec NAT Transparency has been implemented, so if the client is behind a PAT mechanism will be able to work (till now, we had to use VPN Concetrator for that).
The bad news is that it didnt work for me.. Although I upgraded my cisco1751 to that version, when my client connects i get "Transparent Tunneling: Inactive" on my client. With the same client, on a VPN Concetrator, i get 'Active' and it works..
According to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm#xtocid12 which describes the new IOS feature, there isnt much i should do in order to enable IPSEC Nat Transparency..
Is there anyone that made this feature work?
Regards
11-28-2002 03:58 PM
I think you might have the wrong idea about this new feature. Are you thinking that this allows you to connect a Cisco VPN client in IPSec over UDP mode, like you can to a VPN concentrator?
If so, this is not what this is used for. This new feature, NAT-T, is a new standards-based feature that allows IPSec gateways to automatically detect if there's a NAT/PAT device in between them and their IPSec peer, and if so, automatically encapsulate the IPSec packets into UDP port 4500 packets.
NAT-T was introduced in the VPN Client in 3.6 and later, and was introduced in the router in 12.2(13)T as you have seen, so make sure you're running at least 3.6 of the client code. Make sure you have UDP port 4500 open between the router and client also.
Remember though, this is NOT IPSec over UDP like you're used to with the concentrator. It works similar, but is different and I don't think you see any "Transparent Tunnelling: active" on the client if it detects that it needs to use NAT-T. In clients 3.6 and above they'll first try to connect using the standard-based NAT-T (UDP port 4500), and then (if enabled) they'll try with the non-standard "IPsec over UDP" on port 10000.
11-29-2002 02:39 PM
Anyway is NOT working at all: I just upgrade a 826 to 12.2.13T IP/FW/VOICE PLUS 3DES (is the only available with FW and VPN, why voice?... no idea) and is absolutely not working.
After the establishment of the ipsec connection (without NAT/UDP) the vpn disconnect after some seconds (from 2 to 40 sec)
"debug crypto ipsec" tell me:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
I downgrade to the previews release (without changing the config) and in works again (at lease the ipsec vpn without NAT-T)
I dont try to put a NAT router in between
regards
11-30-2002 03:21 AM
Hi Glen,
Your posting is always very helpfull. Really appreciate for your detailed answer.
Are you online on the "eSupport" forum also ?
Best Regards,
Engelhard M. Labiro
12-01-2002 11:58 PM
Thanx alot for your answer, I actually used client ver 3.6 and my problem was solved. Thanx again
12-02-2002 05:00 AM
One last question..
You are refering to a 'NAT-T, a new standards-based feature..'
What standards are you refering to? Is there an RFC or any other document describing the above?
Thanx again for your time!
12-05-2002 04:21 PM
So named NAT-T still is not a standard. There is an IETF IPSec draft for it:
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-04.txt
Cisco support it in the latest OS-es for VPN3K concentrator and the latest version (3.6) of the VPN client.
12-05-2002 11:34 PM
I retry!
By me the new IOS 12.2.13T with NAT-T dosen't works. I load the new IOS on a 826:
After the establishment of the ipsec connection (without NAT/UDP) the vpn disconnect after some seconds (from 2 to 40 sec)
I start debugging (debug crypto ipsec):
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
I downgrade to the previews release (without changing the config) and it works again.
PLEASE HELP ME
regards
12-06-2002 02:56 AM
Don't worry. That seems to be a bug. Open a case in Cisco TAC, otherwise there is no guarantee that somebody will fix it.
03-08-2003 03:16 AM
Looks like several of us have fallen prey to the same bug. You may find it interesting to read my post of 08-Mar-2003 with the title "ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: