10-07-2010 10:58 AM - edited 02-21-2020 04:53 PM
I am trying to establish a Site-to-Site IPSec VPN back to my company's network. I am using a Cisco 2811. If I plug in a Public IP WAN connection my tunnel passes traffic with no problem, however if I put say a home router in the middle where the 2811 is pulling a private IP from the home router I no longer get a succesful tunnel. Any suggestion?
I have the following statements.
FA 0/0
IP ADDRESS DHCP
CRYPTO MAP AESMAP
VLAN 1
IP ADDRESS XX.XX.XX.XX 255.255.255.240 (Public IP)
IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0
If it helps clerify the "home router" is a CradlePoint (CRT500) that takes the Mobile 3G and sends it out an ethernet port into the WAN port of my router. The setup stays mobile and I rarely get the chance to have a public IP for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN back to my companies network. We are hoping to move all our mobile kits to cisco products but need to find a solution before that change can happen.
If I do "Show IP Crypto ISAKMP SA" it shows: XX.XX.XX.XX (PUBLIC) <> 192.168.0.1 Active.
My thoughts are that my TCP 500 traffic makes it to the VPN router and when the VPN router sends traffic back to the address it has the SA with it goes no where because it is a private ip address. From my limited knowledge of how the VPN works I think that during Phase 1 two addresses have to "bind" and NAT can not be used with VPN? But I hold out hope that this could be a somewhat fairly common issue and there is a procedure in place to get around it, or maybe I just have a bad configuration or IP route....
When I turn crypto map off on the FA 0/0 and add NAT to the FA 0/0 and VLAN 1 plus change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get great non-vpn connectivity. Also I have set the address my FA 0/0 gets to the DMZ of the Cradlepoint.
Thanks for any help anyone can provide!
Solved! Go to Solution.
10-08-2010 05:57 AM
Brandon,
NAT-T was designed to overcome NAT/PAT issues known in IPv4 world.
The big problem is that if you have one public IPv4 address you will have to run PAT. ESP/AH packets do not have a port number so they cannot be PATed. For this we enacapsulate IPsec payload inside udp/4500 packets.
That being said some vendors overcome this problem differently but it's not THE standard way.
Your headend should see you as PublicIP of internet facig device.
I agree, that both sonicwall and IOS should work with another IOS. At the same time, it's hard to say what's going on in the middle.
I would say if possible, log a TAC case, the guys will be able to view your configs and able to troubleshoot the issue when it's there. Those types of threads on forums can go on for a very long time ;-)
Marcin
10-07-2010 12:15 PM
Brandon,
It's a little bit messy what you describe ;-)
If it works when on public WAN and doesn't work when "hidden" behind another device I would start by checking if nat traversal is enabled on both ends of the tunnel. If not enabled it.
I'm not sure if cradlepoint has any L7 capabilites or can it inspect payload of IKE/ESP for SPI numbers...
"IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0" is bad - you will proxy arp for every single IP ;/ Fa is not a point to point link.
Marcin
10-07-2010 09:30 PM
Thanks for the response. I am really hoping to get a better understanding of how this all works.
(My Router )--Private IP Network->(CTR500)---public--->(((INTERNET)))<---public---(VPN Router)<----public----(Company Network)
Here is my routers config with the crypto map off. With the crytpo map on I just remove the nat statements from the interfaces and add the crypto map aesmap statement to fa 0/0. I must do this because of my need to have dhcp and i get no dhcp with the crypto map on. Also you will see i changed my ip route from fa 0/0 to dhcp, is this the best way to have my IP route?
Current configuration : 1917 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Kit7
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XX.XX.XX.XX XX.XX.XX.XX
!
ip dhcp pool DHCP_KIT_7
network XXX.XXX.XXX.XXX 255.255.255.240
dns-server XXX.XXX.XX.XX 8.8.8.8
default-router XXX.XXX.XXX.XXX lease 3
!
!
no ip domain lookup
ip domain name XXXXXXX.XXX.XXXXX.XXXXX
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
username ******* privilege 15 password 0 ********
username ******* privilege 15 password 0 ********
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******** address XXX.XXX.XX.XX
!
!
crypto ipsec transform-set AES-SET esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface Vlan1
ip address XX.XX.XX.XX 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended acl_vpn
permit ip any any
!
access-list 1 permit XXX.XX.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
password cisco
login
!
end
NAT- Transversal, I have tried to do some google searching but not much avail, can anyone point me to some documents that can help explain what it is and how it will work in my situation.
Kit7#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
XXX.XXX.XXX.XXX 192.168.0.196 MM_KEY_EXCH 1005 0 ACTIVE
XXX.XXX.XXX.XXX 192.168.0.196 MM_KEY_EXCH 1004 0 ACTIVE
XXX.XXX.XXX.XXX 192.168.0.196 MM_NO_STATE 1003 0 ACTIVE (deleted)
XXX.XXX.XXX.XXX 192.168.0.196 MM_NO_STATE 1002 0 ACTIVE (deleted)
Kit7#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 192.168.0.196
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer XXX.XXX.XXX.XXX port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 349, #recv errors 0
local crypto endpt.: 192.168.0.196, remote crypto endpt.: XXX.XXX.XXX.XXX
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
10-08-2010 12:58 AM
Brandon,
Re NAT-T
Re. route:
Normally default gateway has a staic even if rc1918 IP. So pointing default route throuh that IP is best.
Your tunnels are stuck in MM KEY EXCHANGE - ie. mainmode 5 and mainmode 6 so no IPsec SPI will be up yet, it sill needs to finish IKE.
Two main things are done in MM5 and MM6.:
- floating to nat-traversal port (udp/4500)
- exchanging keys
Please check if cradle point passes udp/4500 and if keys match on both sides of the tunnel.
One thing I also did notice is that you nat everything.
ip nat inside source list 102 interface FastEthernet0/0 overload
access-list 102 permit ip any any
and also want everything to be sent through tunnel.
crypto map aesmap 10 ipsec-isakmp
set peer XXX.XX.XX.XXX
set transform-set AES-SET
match address acl_vpn
ip access-list extended acl_vpn
permit ip any any
That's sort of odd. Please remember that NAT is done before encryption so you will nat ALL your traffic before it gets to tunnel.
I have my doubts if the other side will accept any any as proxy ID... I would try to be as specific as I can.
Does cradlepoint have public IP which is staticly assigned or also dynamic?
I would like to have a look at headend device too, I'm curious how it's configured.And look at debugs fro both sides:
- deb cry isa
- deb cry ipsec
Marcin
10-08-2010 05:47 AM
As far as NAT goes I turn it off when I turn my crypto map on. Everything works great when I have a public IP address such as from dsl or cable modem. The cradlepoint has a public IP dynamicly assigned (166.XX.XX.XX), and I have the address that it gives my router in the cradlepoints DMZ so I am assuming it should be passing all TCP and UDP traffic to my router to include UDP 4500? Also the cradlepoint has a Layer 7 service that handles IPSec traffic passthrough i think called AGL or something like that (I have tested with it turned on and off). As I mentioned before my setup currently uses a Sonicwall TZ 100 for the router and it hooks up to the cradlepoint fine and builds a tunnel and works flowlessly. With that said we would really like to rebuild 10 of our kits to replace the sonicwall (and its gui interface) with cisco 3950 routers. So my thought proccess is that if the sonicwall can communicate with the VPN router which is a cisco 2800 series router that I should be able to switch it out with a cisco router and configure it to work just as well if not better then the Sonicwall as I now would have two cisco products talking to each other. I think right now my mind is stuck at that My traffic is leaveing my router with a source address of 192.168.0.1 and dest address of XXX.XX.XX.XX, the traffic get to the VPN router and can not come back to the private source address and it sounds like the NAT-T service that you informed me of is designed just for this reason? I want to thank you for taking time out of your day to communicate with me and provide me with some of your knowledge.
10-08-2010 05:57 AM
Brandon,
NAT-T was designed to overcome NAT/PAT issues known in IPv4 world.
The big problem is that if you have one public IPv4 address you will have to run PAT. ESP/AH packets do not have a port number so they cannot be PATed. For this we enacapsulate IPsec payload inside udp/4500 packets.
That being said some vendors overcome this problem differently but it's not THE standard way.
Your headend should see you as PublicIP of internet facig device.
I agree, that both sonicwall and IOS should work with another IOS. At the same time, it's hard to say what's going on in the middle.
I would say if possible, log a TAC case, the guys will be able to view your configs and able to troubleshoot the issue when it's there. Those types of threads on forums can go on for a very long time ;-)
Marcin
10-17-2010 12:57 AM
Marcin,
I just wanted to post an update on here just in case anyone else was viewing and was having the same problem. The issue was with NAT-T and the fix was to simply add the following statement "crypto ipsec nat-transparency spi-matching". By default the "crypto ipsec nat-transparency udp-encapsulation" is the only NAT-T command enabled. All my test so far was with my cisco router added to the DMZ of the device performing NAT. Again, Thanks!
Brandon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide