Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
6
Replies

VPN Site To Site with gre tunnel and one device with nat.

Fidel Ernesto Gonzalez Baez
Level 1
Level 1

‎02-02-2016 08:00 AM

Hi, 

I having problem to configure a VPN Site to Site between to routers cisco, 877 and 2911. looks like the phase 1 is ok, but the phase two has problem. 

I have nat transpareny configured on both router but is not working. i think that the problem is by the nat. 

here is the information about the router and show.

---------------------------------------------------------------------------------------------------------------------

Router with nat ( does not have ip public).

Router BCN

crypto keyring MAD-BCN
pre-shared-key address x.x.x.x key 6 asdfadsfdsaf
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp nat keepalive 20
crypto isakmp profile MAD-BCN-ITL_VRF
keyring MAD-BCN
self-identity address
match identity address x.x.x.x 255.255.255.255
!
!
crypto ipsec transform-set VPN-ITL esp-3des esp-md5-hmac
mode transport
!
crypto map CM-VPN-MAQUETA 10 ipsec-isakmp
description Crypto map para VPN-ITL-BCN-MAD
set peer x.x.x.x
set transform-set VPN-ITL
set isakmp-profile MAD-BCN-ITL_VRF
match address ACL-VPN-ITL

interface Tunnel1
description CONEXION ITL BCN-MAD
ip address 172.16.30.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
ip flow ingress
tunnel source Vlan19
tunnel destination x.x.x.x
tunnel mode ipip
!

interface Vlan19
ip address 10.219.219.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto map CM-VPN-MAQUETA

ip access-list extended ACL-VPN-ITL
permit ip host 10.219.219.2 host 212.170.173.253

----------------------------------------------------

Router without nat ( this router has other vpn site to site working)

crypto keyring BCN-MAD_VRF vrf VPN-MAQUETA
pre-shared-key address x.x.x.x key 6 asdfasdfad

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 40
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 FIZ`PI`[IZaiVgdbiWYD`NJLPZYcI[JXeHGT address 0.0.0.0
crypto isakmp identity hostname
crypto isakmp nat keepalive 20

crypto isakmp profile MAD-BCN-ITL_VRF
vrf VPN-MAQUETA
keyring BCN-MAD_VRF
self-identity address
match identity address x.x.x.x 255.255.255.255 VPN-MAQUETA

crypto ipsec transform-set VPN-ITL_VRF esp-3des esp-md5-hmac
mode transport

crypto map CM-VPN-MAQUETA 80 ipsec-isakmp
description Crypto map para VPN-ITL-BCN-MAD
set peer x.x.x.x
set transform-set VPN-ITL_VRF
set isakmp-profile MAD-BCN-ITL_VRF
match address ACL-VPN-ITL_VRF

interface Tunnel8
description CONEXION ITL BCN-MAD_VRF
ip vrf forwarding VPN-MAQUETA
ip address 172.16.30.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
ip flow ingress
tunnel source Dialer1
tunnel mode ipip
tunnel destination x.x.x.x
tunnel vrf VPN-MAQUETA

interface Dialer1
mtu 1492
ip vrf forwarding VPN-MAQUETA
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 7 0207004807161F31
ppp pap sent-username adslppp@telefonicanetpa password 7 12
crypto map CM-VPN-MAQUETA
!

ip access-list extended ACL-VPN-ITL_VRF
permit ip host 212.x.x.x.253 host 79.x.x.x

------------------------------------------------------------------------------

Show crypto from Router with the nat

ITALTEL_BCN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.219.219.2 212.170.173.253 QM_IDLE 2496 0 ACTIVE
10.219.219.2 212.170.173.253 MM_NO_STATE 2495 0 ACTIVE (deleted)
10.219.219.2 212.170.173.253 MM_NO_STATE 2494 0 ACTIVE (deleted)

ITALTEL_BCN#show crypto session
Crypto session current status

Interface: Vlan19
Session status: DOWN
Peer: 212.170.173.253 port 500
IPSEC FLOW: permit ip host 10.219.219.2 host 212.170.173.253
Active SAs: 0, origin: crypto map

Interface: Vlan19
Profile: MAD-BCN-ITL_VRF
Session status: UP-IDLE
Peer: 212.170.173.253 port 4500
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Active
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Inactive
IKE SA: local 10.219.219.2/4500 remote 212.170.173.253/4500 Inactive

ITALTEL_BCN#show crypto ipsec sa

interface: Vlan19
Crypto map tag: CM-VPN-MAQUETA, local addr 10.219.219.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.219.219.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (212.170.173.253/255.255.255.255/0/0)
current_peer 212.170.173.253 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 34, #recv errors 0

local crypto endpt.: 10.219.219.2, remote crypto endpt.: 212.170.173.253
path mtu 1500, ip mtu 1500, ip mtu idb Vlan19
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

-----------------------------------------------------------------------------------------------------------------------

Debug Output

Oct 28 03:22:35.139: ISAKMP:(2490):purging SA., sa=84BEB4C0, delme=84BEB4C0is
ITALTEL_BCN#debug c
Oct 28 03:22:39.996: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (N) NEW SA
Oct 28 03:22:39.996: ISAKMP: Created a peer struct for 212.170.173.253, peer port 500
Oct 28 03:22:39.996: ISAKMP: New peer created peer = 0x83AB1968 peer_handle = 0x80000302
Oct 28 03:22:39.996: ISAKMP: Locking peer struct 0x83AB1968, refcount 1 for crypto_isakmp_process_block
Oct 28 03:22:39.996: ISAKMP: local port 500, remote port 500
Oct 28 03:22:39.996: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84BEB4C0
Oct 28 03:22:39.996: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:39.996: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Oct 28 03:22:40.000: ISAKMP:(0): processing SA payload. message ID = 0
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:22:40.000: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:22:40.000: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:22:40.000: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:22:40.000: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:22:40.000: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:22:40.000: ISAKMP:(0): local preshared key found
Oct 28 03:22:40.000: ISAKMP : Scanning profiles for xauth ... MAD-BCN-ITL_VRF
Oct 28 03:22:40.000: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Oct 28 03:22:40.000: ISAKMP: encryption 3DES-CBC
Oct 28 03:22:40.000: ISAKMP: hash MD5
Oct 28 03:22:40.000: ISAKMP: default group 2
Oct 28 03:22:40.000: ISAKMP: auth pre-share
Oct 28 03:22:40.000: ISAKMP: life type in seconds
Oct 28 03:22:40.000: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 28 03:22:40.004: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 28 03:22:40.004: ISAKMP:(0):Acceptable atts:actual life: 3600
Oct 28 03:22:40.004: ISAKMP:(0):Acceptable atts:life: 0
Oct 28 03:22:40.004: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 28 03:22:40.004: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 28 03:22:40.004: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 28 03:22:40.004: ISAKMP:(0)::Started lifetime timer: 3600.

Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 28 03:22:40.004: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 28 03:22:40.004: ISAKMP (0:0): vendor ID is NAT-T v7
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID is NAT-T v3
Oct 28 03:22:40.004: ISAKMP:(0): processing vendor id payload
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 28 03:22:40.004: ISAKMP:(0): vendor ID is NAT-T v2
Oct 28 03:22:40.004: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.004: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Oct 28 03:22:40.008: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 28 03:22:40.008: ISAKMP:(0): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 28 03:22:40.008: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.008: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:22:40.008: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Oct 28 03:22:40.024: ISAKMP (0:0): received packet from 212.170.173.253 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 28 03:22:40.024: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:40.029: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Oct 28 03:22:40.029: ISAKMP:(0): processing KE payload. message ID = 0
Oct 28 03:22:40.029: crypto_engine: Create DH shared secret
Oct 28 03:22:40.073: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 28 03:22:40.073: ISAKMP:(0):found peer pre-shared key matching 212.170.173.253
Oct 28 03:22:40.073: crypto_engine: Create IKE SA
Oct 28 03:22:40.073: crypto engine: deleting DH phase 2 SW:498
Oct 28 03:22:40.073: crypto_engine: Delete DH shared secret
Oct 28 03:22:40.073: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID is DPD
Oct 28 03:22:40.077: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): speaking to another IOS box!
Oct 28 03:22:40.077: ISAKMP:(2493): processing vendor id payload
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID seems Unity/DPD but major 37 mismatch
Oct 28 03:22:40.077: ISAKMP:(2493): vendor ID is XAUTH
Oct 28 03:22:40.077: ISAKMP:received payload type 20
Oct 28 03:22:40.077: ISAKMP (0:2493): NAT found, the node inside NAT
Oct 28 03:22:40.077: ISAKMP:received payload type 20
Oct 28 03:22:40.077: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.077: ISAKMP:(2493):Old State = IKE_R_MM3 New State = IKE_R_MM3

Oct 28 03:22:40.077: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 28 03:22:40.077: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.077: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 28 03:22:40.081: ISAKMP:(2493):Old State = IKE_R_MM3 New State = IKE_R_MM4

Oct 28 03:22:40.121: ISAKMP (0:2493): received packet from 212.170.173.253 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
Oct 28 03:22:40.121: crypto_engine: Decrypt IKE packet
Oct 28 03:22:40.121: ISAKMP:(2493):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 28 03:22:40.121: ISAKMP:(2493):Old State = IKE_R_MM4 New State = IKE_R_MM5

Oct 28 03:22:40.125: ISAKMP:(2493): processing ID payload. message ID = 0
Oct 28 03:22:40.125: ISAKMP (0:2493): ID payload
next-payload : 8
type : 1
address : 212.170.173.253
protocol : 17
port : 0
length : 12
Oct 28 03:22:40.125: ISAKMP:(0):: peer matches MAD-BCN-ITL_VRF profile
Oct 28 03:22:40.125: ISAKMP:(2493):Found ADDRESS key in keyring MAD-BCN
Oct 28 03:22:40.125: ISAKMP:(2493): processing HASH payload. message ID = 0
Oct 28 03:22:40.125: crypto_engine: Generate IKE hash
Oct 28 03:22:40.125: ISAKMP:(2493): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 84BEB4C0
Oct 28 03:22:40.125: ISAKMP:(2493):SA authentication status:
authenticated
Oct 28 03:22:40.125: ISAKMP:(2493):SA has been authenticated with 212.170.173.253
Oct 28 03:22:40.125: ISAKMP:(2493):Detected port floating to port = 4500
Oct 28 03:22:40.125: ISAKMP: Trying to find existing peer 10.219.219.2/212.170.173.253/4500/ and found existing peer 832A0A80 to reuse, free 83AB1968
Oct 28 03:22:40.125: ISAKMP: Unlocking peer struct 0x83AB1968 Reuse existing peer, count 0
Oct 28 03:22:40.125: ISAKMP: Deleting peer node by peer_reap for 212.170.173.253: 83AB1968
Oct 28 03:22:40.125: ISAKMP: Locking peer struct 0x832A0A80, refcount 2 for Reuse existing peer
Oct 28 03:22:40.129: ISAKMP:(2493):SA authentication status:
authenticated
Oct 28 03:22:40.129: ISAKMP:(2493): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.219.219.2 remote 212.170.173.253 remote port 4500
Oct 28 03:22:40.129: ISAKMP:(2492):received initial contact, deleting SA
Oct 28 03:22:40.129: ISAKMP:(2492):peer does not do paranoid keepalives.

Oct 28 03:22:40.129: ISAKMP:(2492):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 212.170.173.253)
Oct 28 03:22:40.129: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Oct 28 03:22:40.129: ISAKMP:(2493):Setting UDP ENC peer struct 0x0 sa= 0x84BEB4C0
Oct 28 03:22:40.129: ISAKMP:(2493):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 28 03:22:40.129: ISAKMP:(2493):Old State = IKE_R_MM5 New State = IKE_R_MM5

Oct 28 03:22:40.129: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:22:40.129: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 03:22:40.129: ISAKMP: set new node -1784468210 to QM_IDLE
Oct 28 03:22:40.129: crypto_engine: Generate IKE hash
Oct 28 03:22:40.133: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.133: ISAKMP:(2492): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) QM_IDLE
Oct 28 03:22:40.133: ISAKMP:(2492):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.133: ISAKMP:(2492):purging node -1784468210
Oct 28 03:22:40.133: ISAKMP:(2492):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 28 03:22:40.133: ISAKMP:(2492):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Oct 28 03:22:40.133: ISAKMP:(2493):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 28 03:22:40.133: ISAKMP (0:2493): ID payload
next-payload : 8
type : 1
address : 10.219.219.2
protocol : 17
port : 0
length : 12
Oct 28 03:22:40.133: ISAKMP:(2493):Total payload length: 12
Oct 28 03:22:40.133: crypto_engine: Generate IKE hash
Oct 28 03:22:40.137: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.137: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:22:40.137: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.137: ISAKMP:(2493):Returning Actual lifetime: 3600
Oct 28 03:22:40.137: ISAKMP: set new node -1839478786 to QM_IDLE
Oct 28 03:22:40.137: crypto_engine: Generate IKE hash
Oct 28 03:22:40.137: ISAKMP:(2493):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2213332560, message ID = -1839478786
Oct 28 03:22:40.137: crypto_engine: Encrypt IKE packet
Oct 28 03:22:40.137: ISAKMP:(2493): sending packet to 212.170.173.253 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
Oct 28 03:22:40.137: ISAKMP:(2493):Sending an IKE IPv4 Packet.
Oct 28 03:22:40.137: ISAKMP:(2493):purging node -1839478786
Oct 28 03:22:40.137: ISAKMP: Sending phase 1 responder lifetime 3600

Oct 28 03:22: