Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4338
Views
0
Helpful
16
Replies

Understanding NAT-T with IKEv1?

Go to solution
EM_Chris
Level 1
Level 1

‎11-18-2020 08:39 AM

NAT-T.JPG

Hello guys, I'm trying to set up a basic site-to-site lab with NAT-T using port 4500 but I'm not sure if I'm missing a config or something needs to be removed somewhere on one of the routers or if I'm doing something wrong in general.

 

The loopbacks are acting as the interesting traffic LAN subnets to be encrypted and decrypted but when I ping 10.2.2.2 sourced from 10.1.1.1 on R1 I am seeing phase 1 up but phase 2 is showing send errors

 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.2 192.168.2.2 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

 

R1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: crypto_map_test, local addr 192.168.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 115, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
R1#

 

On R2 I'm seeing this 

 

R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.2 192.168.2.1 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

R2#

 

Any answers or suggestions in helping me correct and understand the NAT-T functioning is greatly appreciated

Here are the configs below.

 

 

===========================================================================================

 

R1#sh run
Building configuration...

Current configuration : 2415 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
crypto keyring crypto_keyring_test
local-address 192.168.1.2
pre-shared-key address 192.168.2.2 key cisco
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 200
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 300
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 400
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 500
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 600
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 700
encr aes
authentication pre-share
group 2
lifetime 36600
crypto isakmp keepalive 10 10
crypto isakmp profile crypto_profile_test
description test crypto profile
keyring crypto_keyring_test
self-identity address
match identity address 192.168.2.2 255.255.255.255
local-address 192.168.1.2
!
!
crypto ipsec transform-set transform_set_test esp-aes 256 esp-sha-hmac
!
crypto map crypto_map_test 1 ipsec-isakmp
description test crypto map
set peer 192.168.2.2
set transform-set transform_set_test
set reverse-route tag 100
set isakmp-profile crypto_profile_test
match address crypto_acl_test
reverse-route static
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.0.0.0
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex half
crypto map crypto_map_test
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended crypto_acl_test
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R1#

 

===========================================================================================

 

NAT#sh run
Building configuration...

Current configuration : 1799 bytes
!
! Last configuration change at 03:09:24 UTC Wed Nov 18 2020
!
version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname NAT
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 997IXWXAFGO
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 192.168.1.1 255.255.255.0
ip nat inside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 192.168.2.1 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source static udp 192.168.1.2 500 192.168.2.1 500 extendable
ip nat inside source static udp 192.168.1.2 4500 192.168.2.1 4500 extendable
ip nat inside source list PAT interface GigabitEthernet2 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.2
ip route 10.1.0.0 255.255.0.0 192.168.1.2
!
!
!
ip access-list extended PAT
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.1.0.0 0.0.255.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

NAT#

 

===========================================================================================

 

R2#sh run
Building configuration...

Current configuration : 2415 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
crypto keyring crypto_keyring_test
local-address 192.168.2.2
pre-shared-key address 192.168.2.1 key cisco
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 200
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 300
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 400
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 500
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 600
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 700
encr aes
authentication pre-share
group 2
lifetime 36600
crypto isakmp keepalive 10 10
crypto isakmp profile crypto_profile_test
description test crypto profile
keyring crypto_keyring_test
self-identity address
match identity address 192.168.2.1 255.255.255.255
local-address 192.168.2.2
!
!
crypto ipsec transform-set transform_set_test esp-aes 256 esp-sha-hmac
!
crypto map crypto_map_test 1 ipsec-isakmp
description test crypto map
set peer 192.168.2.1
set transform-set transform_set_test
set reverse-route tag 100
set isakmp-profile crypto_profile_test
match address crypto_acl_test
reverse-route static
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 10.2.2.2 255.0.0.0
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex half
crypto map crypto_map_test
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended crypto_acl_test
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R2#

===========================================================================================

Labels:
0 Helpful
16 Replies 16

Go to solution
EM_Chris
Level 1
Level 1
In response to MHM Cisco World

‎11-20-2020 03:21 PM

You're a genius man! 

 

That seems to have worked. Both sides can ping now using port 4500.

change 1.JPGchange 2.JPG

I'm not seeing any MM messages when I expand on the packets though just information about the SPI.

wireshark.JPG

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to EM_Chris

‎11-20-2020 03:32 PM

And your so welcome man,

pleas mention that this issue solve.

good luck friend

0 Helpful
Customers Also Viewed These Support Documents