ipsec vpn NAT traversal doubt

lvpin Lv · ‎03-06-2017

Topology

【R1】 - 12.1.1.1 - F0 / 0 --12.1.1.2 - 【R2】 - 23.1.1.2 - F0 / 1 - 23.1.1.3 - 【R3】 - 34 .1.1.3 --F0 / 0 - 34.1.1.4 - 【R4】

demand

R2 NAT device，F0 / 0 inside，F0 / 1 outside

R3 NAT device，F0 / 0 inside，F0 / 1 outside

R1 and R4 Establish ipsec vpn, and transfer encrypted traffic

running-config

————————————R1 show running-config ————————————

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 34.1.1.4
crypto isakmp nat keepalive 5
!
!
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map l2l 1 ipsec-isakmp
set peer 34.1.1.4
set transform-set ccie
match address 100

interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
speed auto
duplex auto
crypto map l2l
!

ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
access-list 100 permit ip host 12.1.1.1 host 34.1.1.4

————————————R1 show running-config ————————————

————————————R2 show running-config ————————————

!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat inside
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 23.1.1.2 255.255.255.0
ip nat outside
speed auto
duplex auto
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static esp 12.1.1.1 interface FastEthernet0/1
ip nat inside source static udp 12.1.1.1 500 interface FastEthernet0/1 500
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 34.1.1.0 255.255.255.0 23.1.1.3
!
access-list 1 permit 12.1.1.1
!

————————————R2 show running-config ————————————

————————————R3 show running-config ————————————

!
interface FastEthernet0/0
ip address 34.1.1.3 255.255.255.0
ip nat inside
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
ip nat outside
speed auto
duplex auto
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static esp 34.1.1.4 interface FastEthernet0/1
ip nat inside source static udp 34.1.1.4 500 interface FastEthernet0/1 500
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 12.1.1.0 255.255.255.0 23.1.1.2
!
access-list 1 permit 34.1.1.4
!

————————————R3 show running-config ————————————

————————————R4 show running-config ————————————

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 12.1.1.1
crypto isakmp nat keepalive 5
!
!
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map l2l 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set ccie
match address 100
!
!
!
!
!
interface FastEthernet0/0
ip address 34.1.1.4 255.255.255.0
speed auto
duplex auto
crypto map l2l
!

ip route 0.0.0.0 0.0.0.0 34.1.1.3
!
access-list 100 permit ip host 34.1.1.4 host 12.1.1.1
!

————————————R4 show running-config ————————————

doubt

1.

R1#ping 34.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.1.1.4, timeout is 2 seconds:

*Mar 6 17:08:12.799: %CRYPTO-4-IKMP_NO_SA: IKE message from 23.1.1.3 has no SA and is not an initialization offer...

2.

R2(config)#ip nat inside source static udp 12.1.1.1 4500 interface FastEthernet0/1 4500
%Port 4500 is being used by system

How can i solve And the normal establishment of ipsec vpn?

Software version

GNS3：c7200-adventerprisek9-mz.152-4.S2

R2#show version
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Dec-12 13:32 by prod_rel_team

ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S2, RELEASE SOFTWARE (fc1)

R2 uptime is 1 hour, 48 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
--More--
*Mar 6 17:12:34.027: %SYS-5-CONFIG_I: Configured from console by console
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1

Last reset from power-on

PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 400 bandwidth points.
This configuration is within the PCI bus capacity and is supported.

PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.

Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.

2 FastEthernet interfaces
509K bytes of NVRAM.

8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

R2#