Problems with IPSec and Firewall (NAT-T/PAT)

at · ‎10-14-2004

hi,

we have following network design:

PC----VPN Router ---- Firewall Satellite ----------------------------- Internet ------------------------------------------------Firewall Central Site ---------------VPN Router Central ----- Server

The IPSec Tunnel is between the VPN Router. The Firewall Central will NAT the IP-Adress from the VPN Router Central; The Firewall on Satellite Site has only one IP-Adress therefore we do PAT the VPN Router Satellite. The IPSec Tunnel is a dynamic tunnel and we use NAT-T (UDP Port 500 and UDP Port 4500). The Tunnel is running well if nothing is changing. If someone will configure on the firewalls the IPSec Tunnel will sometimes never connect successful. The solution is to reload the vpn router on the satellite site.

Any good idea what to do. We will never get a second IP Address on the satellite site.

regards

alex

ehirsel · ‎10-15-2004

I think the issue is caused by one peer not being able to detect the loss of the other peer. Are you employing DPD or some other type of keepalive for the IPSec traffic. If the routers are IOS based, you can configure isakmp keepalive poll-interval on each router to send periodic keepalives.

When you reload one peer, what happens is that the isa sa's are negotiated anew once the crypto processing takes place. If you cannot, or do not want to, use keepalives, you can run the clear crypto sa and clear crypto isa sa commands on one peer to force a phase 1 and phase 2 new sa est.

Let me know if this helps.

at · ‎10-25-2004

hi

thank you for reply, but we configured on the router rtr which allows the router to request a webserver every minute;

Our problem seems to be encryption;

We have some AIM/VPN-Moduls in our routers. After changing the encryption from aes to 3des the ipsec tunnel run better.

regards

alex