Hello,
We have bunch of sites connected by IPSec tunnels between central Cisco 3800 and remote MSR-900
Everything is fine when remote site uses white IP. But when ISP provides grey one e.g. 192.168.1.200, we have problem transmitting traffic over IPSec.
By my opinion, problem is that NAT-T is not engaged during setup phase.
If MSR-900 replaced by Cisco861, IPSec tunnel establishes successfully with NAT-T enabled and traffic goes by.
There is no specific IPSec NAT-T config commands on MSR, so I presume it is enabled by default.
Here is IPSec related config on Cisco 3800 uses dynamic crypto map approach, as we don't know which public IP, Service Provider uses for outside NAT:
crypto ipsec transform-set office esp-des esp-md5-hmac
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
crypto dynamic-map DYNAMAP 5555
set security-association lifetime seconds 28800
set transform-set office
set pfs group2
match address test-gsm
reverse-route
crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
lifetime 3600
!
ip access-list extended test-gsm
permit ip any 10.109.51.96 0.0.0.31
interface GigabitEthernet0/1
description Outbound
ip address X.X.158.20 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-fragments 64
ip policy route-map counters
duplex auto
speed auto
media-type rj45
no cdp enable
crypto map RETAIL
max-reserved-bandwidth 90
end
MSR-900 config:
acl number 3001
rule 0 permit ip source 10.109.51.96 0.0.0.31
ike proposal 1
dh group2
authentication-algorithm md5
sa duration 3600
ike peer 1
pre-shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXX
remote-address XXX.XXX.158.20
ipsec proposal office
#
ipsec policy vpn 1 isakmp
security acl 3001
pfs dh-group2
ike-peer 1
proposal office
sa duration time-based 28800
interface Ethernet0/0
port link-mode route
ip address dhcp-alloc
ipsec policy vpn
interface Loopback0
ip address 10.109.51.126 255.255.255.255
Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.
Crypto SA on MSR, please notice that NAT-T is not negotiated:
<Remote-Site> displ ipsec sa
===============================
Interface: Ethernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "vpn"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy: DH group 2
tunnel:
local address: 192.168.1.201
remote address: XX.XXX.158.20
flow:
sour addr: 10.109.51.96/255.255.255.224 port: 0 protocol: IP
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 3957060744 (0xebdbf488)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
---- More ----
sa duration (kilobytes/sec): 1843200/28800
sa remaining duration (kilobytes/sec): 1843200/28420
max received sequence-number: 1
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3564383543 (0xd4742d37)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/28800
sa remaining duration (kilobytes/sec): 1843199/28420
max received sequence-number: 5
udp encapsulation used for nat traversal: N
<Remote-Site>displ ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
5 XXX.XXX.158.20 RD|ST 1 IPSEC
6 XXX.XXX.158.20 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<Remote-Site>
We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:
ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/1
Uptime: 00:00:51
Session status: UP-ACTIVE
Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.201
Desc: (none)
IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active
Capabilities:(none) connid:8976 lifetime:00:59:06
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.109.51.96/255.255.255.224
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748
Please suggest anything kindly.
Thanks!
#msr-900#cisco#H3C#NAT#ipsec