Router needs to be a VPN endpoint, and also pass through ikev2

Paul Lawrie · ‎02-10-2017

Hi all :)

I have a Cisco 1941 that has a site-to-site ipsec VPN configured and working fine. The endpoint IP address is a static IP configured on the Dialer0 interface. There is also an ISP-assigned /29 network routed to us that we use for a few different services. I'm just NATing some ports to the inside on some of the IPs.

I now have a need to host a Windows 2012 IKEv2 server internally to allow mobile devices to access an internal resource. If I configure NAT rules to allow ESP protocol through on Dialer0 the VPN works just fine, but as you might expect my site-to-site VPN breaks.

No worries I think, I'll just configure ESP to use an IP address in my /29 range. Except NATing ESP seems to require an interface configured, and my addresses for the IPs in the /29 aren't actually assigned to an interface.

I'm clearly not an expert in this area and would appreciate a nudge in the right direction :)

Unfortunately using IOS to terminate the VPN, and not Windows Server, is not really an option.

Rahul Govindan · ‎02-10-2017

If you have a separate IP address, why not do a 1-1 static NAT for your server and then only allow the ports udp 500,4500 and ESP in an inbound ACL (if it only needs VPN access). This way you do not interfere with the existing setup and you don't have to worry about ip address being assigned to any interface.