Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5135
Views
0
Helpful
7
Replies

need to disable ipsec nat-t on router

yuhuiyao
Level 1
Level 1

‎03-11-2009 10:02 AM - edited ‎02-21-2020 04:10 PM

All,

I will need to run ipsec in esp, what is the command to disable nat-t on a router? I have tried "no crypto ipsec nat-transparency udp-encaps" but still see packets in udp 4500.

Thanks,

Labels:
0 Helpful
7 Replies 7

Ivan Martinon
Level 7
Level 7

‎03-11-2009 11:51 AM

That command disables it, however it disables the fact that the router will reply back on udp 4500, if the remote party (peer or client) has this feature enabled and nat is found on the path then it will still receive those packets.

0 Helpful

yuhuiyao
Level 1
Level 1
In response to Ivan Martinon

‎03-11-2009 01:27 PM

Thanks for your reply. I have both sides configured with "no crypto ipsec nat-transparency udp-encaps". Still seeing UDP 4500. There are two nat deivces in the path.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to yuhuiyao

‎03-11-2009 01:29 PM

This command disables the feature, please get the output of the show crypto ipsec sa and the debug cry isakmp.

0 Helpful

l.tating
Level 1
Level 1

‎01-26-2010 07:48 PM

Hi yuhuiyao,

I have similar intentions in my network. but when I tried in lab testing i still get IPSec packet encrypted and tunnel built up even i disabled ipsec nat-transparency on both routers. I tried to use different router model and still get IPSec packet encrypted. You can see my scenario in this simple network diagram:

Note: my ios 12.2 does not have nat-t support yet

Test 1:

R7(ios 12.2)--------------------(R3-nat device)-----------------------R8(ios 12.2)      Result: IPSec tunnel is established

Test 2: (typed no crypto ipsec nat-transparency udp-encaps on both IPSec ends)

R1(ios 12.4)--------------------(R7-nat device)-----------------------R3(ios 12.4)      Result: IPSec tunnel is established

Have you solved your problem already since March 2009?

Sincerely,

Lorenz

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to l.tating

‎01-27-2010 07:20 AM

Hi Lorenz,

By tunnel established you mean IPSEC ESP tunnel or IPSEC NAT-T UDP 4500 tunnel?

0 Helpful

l.tating
Level 1
Level 1
In response to Ivan Martinon

‎01-27-2010 06:31 PM

Hi Ivan,

It is the IPSec ESP tunnel. I tried issuing the command "no crypto ipsec nat-transparency udp-encaps"
and "no crypto ipsec nat-transparency spi-matching" on both VPN endpoints.

I noticed however, that when the NAT device is changed to PAT, then the NAT-T feature begin to take part.

Is the NAT-T limited by PAT (interface overload) only?


Lorenz

0 Helpful

l.tating
Level 1
Level 1
In response to Ivan Martinon

‎01-27-2010 10:49 PM

Hi Ivan,

In my testing here are my findings:

Given the diagram:

R1(ipsec endpoint)(g0/0)--------------------R7(nat device)----------------------------R3(ipsec endpoint)

R7 translates R1's g0/0 IP address

1. Static NAT - dont care (this means when NAT-T is on, packet is udp-encapsulated, if not, then usual encaps)
2. Static PAT (overload) - working (means NAT-T must be configured on both tunnel endpoints for udp-encaps)
3. Dynamic NAT - not working (no tunnel. IKE Phase 1 fails negotiation)(see debug outputs)

Could you do a similar test on your end so we can prove this scenario?

Regards,

Lorenz

60426-debug at R1.txt.zip
0 Helpful
Customers Also Viewed These Support Documents
Top