Re: NAT-Traversal between NAT'ed 1721 and VPN 3030 concentrator

jurrien · ‎01-30-2003

Hi,

I would like to know if someone has any experience with the NAT-traversal support for IPsec in the new IOS releases. I'm having rather strange TCP/IP connection problems that look like IP fragmentations issues.

This is my situation. At our main hub in The Netherlands, I've a VPN 3030 concentrator (version 3.6.3.Rel) behind a PIX-515 firewall. In Spain a 1721 router (IOS 12.2-13.T) is used behind a Speedstream ADSL solution with NAT and PAT port mapping (like TCP500 and UDP4500) to the 1721.

The problem occurs when an application in Spain tries to setup a connection to a server in The Netherlands, most of the connections die after sending a few KB of data.

I've changed the Public Interface IPSec Fragmentation Policy on the VPN 3030 concentrator to Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP) but this has no effect. Choosing the last option Fragment prior to IPSec encapsulation without Path MTU Discovery (Clear DF bit) doesn't have any effect too.

Other IPsec tunnels to 1721, 1720, PIX firewalls and SonicWalls still works without any problems as long as those devices are not behind a NAT'ed Internet connection.

Please let me know when you have any clue. Many thanks in advance!

Best regards,

Jurrien Wijlhuizen

mchin345 · ‎02-05-2003

I think this problem is documented as Bug CSCdz26371. What is (probably) happening is that when the client connects to the concentrator using NAT transversal, the concentrator thinks that it's behind a natted device as well. The outcome of this is that the concentrator sends out packets to the wrong destination port and these get dropped. I guess the way out might be to rollback to your previous IOS release for now.