Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
2
Replies

L2TP/IPSec against NAT

stefano
Level 1
Level 1

‎10-19-2004 12:59 PM - edited ‎02-21-2020 01:24 PM

I'm having an hard time to let a vpn l2tp/ipsec to work between a client and a pix with a nat router in the middle.

Let's say that I'm starting from this situation: http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml even simplified since there are no certificates around but only a preshared key.

Until I have no nat around, everything works perfectly.

Then I introduce Nat between client and the pix. To be precise, I put the client behind a natting router.

After reading manuals, I added 'isakmp nat-traversal', and I thought that it might work. but no success.

I'm thinking that may be something around that point in the configuration:

!--- ACL configured to Permit L2TP traffic (UDP port 1701).

access-list l2tp permit udp host 171.68.9.57 any eq 1701

also because errors I receive are about 'proxy identities not supported' and then something about 'Reserved Not Zero on Payload 8'

So I tried adding udp port 4500, but again no success.

any hint?

thanks

Labels:
0 Helpful
2 Replies 2

drolemc
Level 6
Level 6

‎10-26-2004 12:59 PM

I came across bug CSCee90224 - 'Phase1 fails with MS L2TP-IPsec client /w NAT-T' that seems to be the problem you are running into. You could follow the same and see how things develop.

0 Helpful

falain
Level 1
Level 1

‎11-08-2004 12:59 PM

As you, I have tried to connect an XP VPN ipsec/l2tp client to a Cisco Vpn gateway.

You must patch your XP vpn client with NAT-T KB patch.

As long as you have no nat (ie Esp only), it works perfectly.

But when you have any Natting device (ie esp encapsulated in UDP/4500), it doesnt work.

Ipsec debugs shows an 0x800 flags error when trying to establish SAs during IKE phase II.

Pb is the same with certificates or preshared keys.

I think that usage of transport mode instead of tunnel mode is the main reason.

In transport mode, you encrypt only payload data not IP headers in ESP.

When going through Nat devices, you change IP headers

but you can't recompute encrypted data payload.

With tunnel mode, the whole IP packet is encrypted in ESP and you add a new IP header. Then Nat when it adds UDP/4500 header doesnt modify client IP packet integrity.

I don't know if there is a way to use tunnel mode nstead of transport mode with XP vpn client.

0 Helpful
Customers Also Viewed These Support Documents