cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10308
Views
0
Helpful
6
Replies

IPSec VPN with Private WAN Address...HELP!

Brandon James
Level 1
Level 1

I am trying to establish a Site-to-Site IPSec VPN back to my company's network. I am using a Cisco 2811. If I plug in a Public IP WAN connection my tunnel passes traffic with no problem, however if I put say a home router in the middle where the 2811 is pulling a private IP from the home router I no longer get a succesful tunnel. Any suggestion?

I have the following statements.

FA 0/0
IP ADDRESS DHCP
CRYPTO MAP AESMAP

VLAN 1
IP ADDRESS XX.XX.XX.XX 255.255.255.240 (Public IP)

IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0

If it helps clerify the "home router" is a CradlePoint (CRT500) that takes the Mobile 3G and sends it out an ethernet port into the WAN port of my router. The setup stays mobile and I rarely get the chance to have a public IP for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN back to my  companies network. We are hoping to move all our mobile kits to cisco products but need to find a solution before that change can happen.

If I do "Show IP Crypto ISAKMP SA" it shows: XX.XX.XX.XX (PUBLIC)  <> 192.168.0.1     Active.

My thoughts are that my TCP 500 traffic makes it to the VPN router and when the VPN router sends traffic back to the address it has the SA with it goes no where because it is a private ip address. From my limited knowledge of how the VPN works I think that during Phase 1 two addresses have to "bind" and NAT can not be used with VPN? But I hold out hope that this could be a somewhat fairly common issue and there is a procedure in place to get around it, or maybe I just have a bad configuration or IP route....  

When I turn crypto map off on the FA 0/0 and add NAT to the FA 0/0 and VLAN 1 plus change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get great non-vpn connectivity.  Also I have set the address my FA 0/0 gets to the DMZ of the Cradlepoint.

Thanks for any help anyone can provide!

1 Accepted Solution

Accepted Solutions

Brandon,

NAT-T was designed to overcome NAT/PAT issues known in IPv4 world.

The big problem is that if you have one public IPv4 address you will have to run PAT. ESP/AH packets do not have a port number so they cannot be PATed. For this we enacapsulate IPsec payload inside udp/4500 packets.

That being said some vendors overcome this problem differently but it's not THE standard way.

Your headend should see you as PublicIP of internet facig device.

I agree, that both sonicwall and IOS should work with another IOS. At the same time, it's hard to say what's going on in the middle.

I would say if possible, log a TAC case, the guys will be able to view your configs and able to troubleshoot the issue when it's there. Those types of threads on forums can go on for a very long time ;-)

Marcin

View solution in original post

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Brandon,

It's a little bit messy what you describe ;-)

If it works when on public WAN and doesn't work when "hidden" behind another device I would start by checking if nat traversal is enabled on both ends of the tunnel. If not enabled it.

I'm not sure if cradlepoint has any L7 capabilites or can it inspect payload of IKE/ESP for SPI numbers...

"IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0" is bad - you will proxy arp for every single IP ;/ Fa is not a point to point link.

Marcin

Thanks for the response. I am really hoping to get a better understanding of how this all works.

(My Router )--Private IP Network->(CTR500)---public--->(((INTERNET)))<---public---(VPN Router)<----public----(Company Network)

Here is my routers config with the crypto map off. With the crytpo map on I just remove the nat statements from the interfaces and add the crypto map aesmap statement to fa 0/0. I must do this because of my need to have dhcp and i get no dhcp with the crypto map on. Also you will see i changed my ip route from fa 0/0 to dhcp, is this the best way to have my IP route?

Current configuration : 1917 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Kit7
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XX.XX.XX.XX XX.XX.XX.XX

!
ip dhcp pool DHCP_KIT_7
   network XXX.XXX.XXX.XXX 255.255.255.240
   dns-server XXX.XXX.XX.XX 8.8.8.8
   default-router XXX.XXX.XXX.XXX   lease 3
!
!
no ip domain lookup
ip domain name XXXXXXX.XXX.XXXXX.XXXXX

ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
username ******* privilege 15 password 0 ********

username ******* privilege 15 password 0 ********

archive
log config
  hidekeys
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ********  address XXX.XXX.XX.XX

!
!
crypto ipsec transform-set AES-SET esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface Vlan1
ip address XX.XX.XX.XX 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended acl_vpn
permit ip any any
!
access-list 1 permit XXX.XX.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
password cisco
login
!
end

NAT- Transversal, I have tried to do some google searching but not much avail, can anyone point me to some documents that can help explain what it is and how it will work in my situation.

Kit7#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
XXX.XXX.XXX.XXX   192.168.0.196   MM_KEY_EXCH       1005    0 ACTIVE
XXX.XXX.XXX.XXX   192.168.0.196   MM_KEY_EXCH       1004    0 ACTIVE
XXX.XXX.XXX.XXX   192.168.0.196   MM_NO_STATE       1003    0 ACTIVE (deleted)
XXX.XXX.XXX.XXX   192.168.0.196   MM_NO_STATE       1002    0 ACTIVE (deleted)

Kit7#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: aesmap, local addr 192.168.0.196

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer XXX.XXX.XXX.XXX port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 349, #recv errors 0

     local crypto endpt.: 192.168.0.196, remote crypto endpt.: XXX.XXX.XXX.XXX
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Brandon,

Re NAT-T

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_nat_transp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1027186

Re. route:

Normally default gateway has a staic even if rc1918 IP. So pointing default route throuh that IP is best.

Your tunnels are stuck in MM KEY EXCHANGE - ie. mainmode 5 and mainmode 6 so no IPsec SPI will be up yet, it sill needs to finish IKE.

Two main things are done in MM5 and MM6.:

- floating to nat-traversal port (udp/4500)

- exchanging keys

Please check if cradle point passes udp/4500 and if keys match on both sides of the tunnel.

One thing I also did notice is that you nat everything.

ip nat inside source list 102 interface FastEthernet0/0 overload

access-list 102 permit ip any any

and also want everything to be sent through tunnel.

crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn

ip access-list extended acl_vpn
permit ip any any

That's sort of odd. Please remember that NAT is done before encryption so you will nat ALL your traffic before it gets to tunnel.

I have my doubts if the other side will accept any any as proxy ID... I would try to be as specific as I can.

Does cradlepoint have  public IP which is staticly assigned or also dynamic?

I would like to have a look at headend device too, I'm curious how it's configured.And look at debugs fro both sides:

- deb cry isa

- deb cry ipsec

Marcin

As far as NAT goes I turn it off when I turn my crypto map on. Everything works great when I have a public IP address such as from dsl or cable modem. The cradlepoint has a public IP dynamicly assigned (166.XX.XX.XX), and I have the address that it gives my router in the cradlepoints DMZ so I am assuming it should be passing all TCP and UDP traffic to my router to include UDP 4500? Also the cradlepoint has a Layer 7 service that handles IPSec traffic passthrough i think called AGL or something like that (I have tested with it turned on and off).  As I mentioned before my setup currently uses a Sonicwall TZ 100 for the router and it hooks up to the cradlepoint fine and builds a tunnel and works flowlessly. With that said we would really like to rebuild 10 of our kits to replace the sonicwall (and its gui interface) with cisco 3950 routers. So my thought proccess is that if the sonicwall can communicate with the VPN router which is a cisco 2800 series router that I should be able to switch it out with a cisco router and configure it to work just as well if not better then the Sonicwall as I now would have two cisco products talking to each other. I think right now my mind is stuck at that My traffic is leaveing my router with a source address of 192.168.0.1 and dest address of XXX.XX.XX.XX, the traffic get to the VPN router and can not come back to the private source address and it sounds like the NAT-T service that you informed me of is designed just for this reason? I want to thank you for taking time out of your day to communicate with me and provide me with some of your knowledge.

Brandon,

NAT-T was designed to overcome NAT/PAT issues known in IPv4 world.

The big problem is that if you have one public IPv4 address you will have to run PAT. ESP/AH packets do not have a port number so they cannot be PATed. For this we enacapsulate IPsec payload inside udp/4500 packets.

That being said some vendors overcome this problem differently but it's not THE standard way.

Your headend should see you as PublicIP of internet facig device.

I agree, that both sonicwall and IOS should work with another IOS. At the same time, it's hard to say what's going on in the middle.

I would say if possible, log a TAC case, the guys will be able to view your configs and able to troubleshoot the issue when it's there. Those types of threads on forums can go on for a very long time ;-)

Marcin

Marcin,

     I just wanted to post an update on here just in case anyone else was viewing and was having the same problem. The issue was with NAT-T and the fix was to simply add the following statement "crypto ipsec nat-transparency spi-matching". By default the "crypto ipsec nat-transparency udp-encapsulation" is the only NAT-T command enabled. All my test so far was with my cisco router added to the DMZ of the device performing NAT. Again, Thanks!

Brandon