Hello,

cnicules · ‎01-16-2016

Hello,

i want to create a VPN between 2 VXE, one with public IP one behind a NAT router.

i tryed a Static Virtual Tunnel Interface config, but with no luck. the nat router forwards all the wan traffic to the vxe (DMZ host)

for starters is it possible?

i've tryed to specify on the VXE1 as source the public and the private ip, not worked.

from what i get from the logs is that is not understanding each others on the NAT/IP part.

i've search for a command to force a nat-traversal, but aparentlly the IOS XE autodetect this.

the config:

VXE1 --- NAT --- Internet --- VXE2

!

crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile SVTIPROFILE
set transform-set MYSET

!

interface Tunnel30
ip address 10.20.20.2 255.255.255.252
tunnel source <VXE1>
tunnel mode ipsec ipv4
tunnel destination <VXE2>
tunnel protection ipsec profile SVTIPROFILE

!

Philip D'Ath · ‎01-16-2016

What is a VXE?

cnicules · ‎01-20-2016

VXE is Virtual XE, is the Cisco CSR1000V running IOS-XE

Philip D'Ath · ‎01-16-2016

Can you post the actual tunnel configs, and the log you got showing the issue please.

cnicules · ‎01-20-2016

Hello,

i clean the config, reload, and did it again in the right order from the start, and it works.

for record here is the configuration:

crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 16
crypto isakmp key PASSWORD address <PublicIP>
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile SVTIPROFILE
set transform-set MYSET
!
interface Tunnel30
ip address 10.20.20.1 255.255.255.252
load-interval 30
keepalive 1 3
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination <PublicIP>
tunnel checksum
tunnel path-mtu-discovery
tunnel protection ipsec profile SVTIPROFILE
!

Cheers,

Ciprian

Site to Site IPSec VPN with Cisco CSR1000V behind NAT