Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
412
Views
3
Helpful
8
Replies

IPSec Virtual Tunnel Interface Behind NAT

Go to solution
sahmadhashmi
Level 1
Level 1

ā€Ž07-17-2024 08:17 AM - edited ā€Ž07-18-2024 03:41 AM

Topology

sahmadhashmi_1-1721228688219.png

Problem Description

I have a topology on eve-ng in which I have 3 CSRv and 1 ISRv routers, In that topology I created a IPSEC tunnel over VTI. The problem I'm facing is that the tunnel interface on the router which is on side 1 is down (Protocol is down but status is UP) however the tunnel interface on the router which is on side 2 is UP (Line Protocol is UP) Also, I'm doing NAT on the Edge_R1 router on side1

Please help me to understand why the IPsec is not coming UP and the tunnel interface on side 1.

I'm attaching the configuration script of the routers.

 

Labels:
Preview file
9 KB
Preview file
8 KB
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to sahmadhashmi

ā€Ž07-18-2024 03:57 AM

first fast review 
the tunnel in ISR use tunnel source IP that is not direct connect to router ?
it must use g1 
change it and check 

MHM

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž07-17-2024 08:23 AM

What IKE v1 you use ?

Share config if you can both vti side 

MHM

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž07-17-2024 04:03 PM

Pos the configuration and make sure your NAT working for requirement.

For IPSEC, you need to open / forward / PAT the following:

  • UDP 500
  • UDP 4500
  • ESP

enable debug and check 

I'm attaching the configuration script of the routers.

attach the configuration of all devices.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ccieexpert
Level 4
Level 4

ā€Ž07-17-2024 11:25 PM

run the debugs as listed in this link:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

that should give you an idea.. or attach the config.

0 Helpful

Go to solution
sahmadhashmi
Level 1
Level 1

ā€Ž07-18-2024 03:43 AM - edited ā€Ž07-18-2024 03:44 AM

Thanks all for your response.
So I'm using IKEV2 and I have checked the nat translations, it working as expected.

Also, I have attached the configuration of the routers.

Preview file
8 KB
Preview file
7 KB
Preview file
9 KB

Go to solution
MHM Cisco World
VIP
VIP
In response to sahmadhashmi

ā€Ž07-18-2024 03:57 AM

first fast review 
the tunnel in ISR use tunnel source IP that is not direct connect to router ?
it must use g1 
change it and check 

MHM

Go to solution
sahmadhashmi
Level 1
Level 1
In response to MHM Cisco World

ā€Ž07-18-2024 05:35 PM

Thanks MHM, Yes after changing the source as Gig1, Tunnel comes UP and started to work.

Thanks for your help! Appreciated  

Go to solution
sahmadhashmi
Level 1
Level 1
In response to MHM Cisco World

ā€Ž07-18-2024 05:37 PM - edited ā€Ž07-18-2024 05:38 PM

Thanks Everyone for your help

0 Helpful

Go to solution
juliawhites87
Level 1
Level 1

ā€Ž07-18-2024 04:14 AM

It sounds like your issue might be related to NAT interfering with the IPsec tunnel establishment. Ensure that NAT traversal (NAT-T) is enabled on both sides of the tunnel. Also, check if your ACLs are correctly configured to allow IPsec traffic through the NAT device.

0 Helpful
Customers Also Viewed These Support Documents