- Posts: 158
- Thank you received: 1
IPsec via NAT
15 years 7 months ago #32173
by skylimit
"...you are never too old to learn" anon
IPsec via NAT was created by skylimit
Hi Guys,
I wonder if I could get some help with my IPsec configuration. Basically, I'm trying to establish an IPsec connection via a NAT router. I'm aware that NAT breaks IPsec especially when the AH protocol is in use. In my case, I'm using ESP and I think the reason why I'm unable to ping the end of the Ipsec tunnel is due to my routing. Can someone advise on my routing or any other errors spotted please. Config is below and here's the diag of my setup.
www.2shared.com/file/7990289/76d1d4d2/config.html
[code:1]
R1 - Router with IPsec IOS
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
crypto isakmp policy 10
authentication pre-share
lifetime 28800
crypto isakmp key <psk> address <remote peer public IP>
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer <remote peer public IP>
set transform-set myset
match address abs
!
!
!
!
!
!
interface Tunnel1
description GRE tunnel -> Remote Ipsec VPN GW
ip address 10.x.x.1 <Tunnel Mask - /30>
tunnel source FastEthernet0/0
tunnel destination <R2 public IP>
!
!
interface FastEthernet0/0
description External interface
ip address <LAN IP> 255.255.255.0
ip access-group accesgrpname in
duplex auto
speed auto
crypto map testmap
!
interface FastEthernet0/1
description LAN interface
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 <Inside interface IP on NAT router>
ip http server
no ip http secure-server
!
ip access-list extended accessgrpname
permit icmp any any
permit udp host <R2 public IP> eq isakmp host <R1 public IP> eq isakmp
permit esp host <R2 public IP> host <R1 public IP>
permit gre host <R2 public IP> host <R1 public IP>
ip access-list extended abs
permit gre host <R1 public IP> host <R2 public IP>
permit gre host <R1 public IP>host <R2 public IP>
[/code:1]
[code:1]
NAT Router
---
ostname NAT
!
!
memory-size iomem 10
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
interface Ethernet0/0
description LAN connection from R1
ip address <local peer public IP> <mask>
ip nat outside
half-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
description Connection -> fa0/1 on R1
ip address <LAN IP> <Mask>
ip nat inside
half-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <remote peer public ip>
ip http server
ip pim bidir-enable
!
!
access-list 1 permit <R1 external IP - private ip>
!
[/code:1]
[code:1]
R2 - Remote IPsec peer
!
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key psk address <Ext Interface IP on NAT router>
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer <Ext Interface IP on NAT router>
set transform-set myset
match address gre
!
!
interface FastEthernet0/0
description External Interface -> R1 via NAT
ip address <Ext Interface IP on NAT router>
ip access-group Allow in
duplex auto
speed auto
crypto map testmap
!
interface Tunnel30
description Remote Tunnel -> R1
ip address 10.x.x.2 255.255.255.252
ip access-group accessgrpname in
tunnel source FastEthernet0/0
tunnel destination <Ext Interface IP on NAT router>
!
ip classless
ip route 0.0.0.0 0.0.0.0 <def GW>
ip http server
no ip http secure-server
!
ip access-list extended gre
permit gre host <remote peer ip> host <NAT WAN IP>
permit gre host <NAT WAN IP> host <remote peer ip>
!
ip access-list extended Allow
permit udp host <NAT WAN IP> eq isakmp host <remote peer ip> eq isakmp
permit esp host <NAT WAN IP> host <remote peer ip>
permit gre host <NAT WAN IP> host <remote peer ip>
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
!
end
[/code:1]
Any help/pointers will be appreciated.
Thanks
Sky
I wonder if I could get some help with my IPsec configuration. Basically, I'm trying to establish an IPsec connection via a NAT router. I'm aware that NAT breaks IPsec especially when the AH protocol is in use. In my case, I'm using ESP and I think the reason why I'm unable to ping the end of the Ipsec tunnel is due to my routing. Can someone advise on my routing or any other errors spotted please. Config is below and here's the diag of my setup.
www.2shared.com/file/7990289/76d1d4d2/config.html
[code:1]
R1 - Router with IPsec IOS
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
crypto isakmp policy 10
authentication pre-share
lifetime 28800
crypto isakmp key <psk> address <remote peer public IP>
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer <remote peer public IP>
set transform-set myset
match address abs
!
!
!
!
!
!
interface Tunnel1
description GRE tunnel -> Remote Ipsec VPN GW
ip address 10.x.x.1 <Tunnel Mask - /30>
tunnel source FastEthernet0/0
tunnel destination <R2 public IP>
!
!
interface FastEthernet0/0
description External interface
ip address <LAN IP> 255.255.255.0
ip access-group accesgrpname in
duplex auto
speed auto
crypto map testmap
!
interface FastEthernet0/1
description LAN interface
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 <Inside interface IP on NAT router>
ip http server
no ip http secure-server
!
ip access-list extended accessgrpname
permit icmp any any
permit udp host <R2 public IP> eq isakmp host <R1 public IP> eq isakmp
permit esp host <R2 public IP> host <R1 public IP>
permit gre host <R2 public IP> host <R1 public IP>
ip access-list extended abs
permit gre host <R1 public IP> host <R2 public IP>
permit gre host <R1 public IP>host <R2 public IP>
[/code:1]
[code:1]
NAT Router
---
ostname NAT
!
!
memory-size iomem 10
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
interface Ethernet0/0
description LAN connection from R1
ip address <local peer public IP> <mask>
ip nat outside
half-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
description Connection -> fa0/1 on R1
ip address <LAN IP> <Mask>
ip nat inside
half-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <remote peer public ip>
ip http server
ip pim bidir-enable
!
!
access-list 1 permit <R1 external IP - private ip>
!
[/code:1]
[code:1]
R2 - Remote IPsec peer
!
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key psk address <Ext Interface IP on NAT router>
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer <Ext Interface IP on NAT router>
set transform-set myset
match address gre
!
!
interface FastEthernet0/0
description External Interface -> R1 via NAT
ip address <Ext Interface IP on NAT router>
ip access-group Allow in
duplex auto
speed auto
crypto map testmap
!
interface Tunnel30
description Remote Tunnel -> R1
ip address 10.x.x.2 255.255.255.252
ip access-group accessgrpname in
tunnel source FastEthernet0/0
tunnel destination <Ext Interface IP on NAT router>
!
ip classless
ip route 0.0.0.0 0.0.0.0 <def GW>
ip http server
no ip http secure-server
!
ip access-list extended gre
permit gre host <remote peer ip> host <NAT WAN IP>
permit gre host <NAT WAN IP> host <remote peer ip>
!
ip access-list extended Allow
permit udp host <NAT WAN IP> eq isakmp host <remote peer ip> eq isakmp
permit esp host <NAT WAN IP> host <remote peer ip>
permit gre host <NAT WAN IP> host <remote peer ip>
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
!
end
[/code:1]
Any help/pointers will be appreciated.
Thanks
Sky
"...you are never too old to learn" anon
15 years 7 months ago #32174
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: IPsec via NAT
Hey sky,
What i understand from the picture is that there is another device in front of the R1 that uses NAT ?
What i understand from the picture is that there is another device in front of the R1 that uses NAT ?
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
15 years 7 months ago #32175
by skylimit
"...you are never too old to learn" anon
Replied by skylimit on topic Re: IPsec via NAT
r0nni3, that's correct, there's a NAT router in front of R1.
"...you are never too old to learn" anon
15 years 7 months ago #32180
by skylimit
"...you are never too old to learn" anon
Replied by skylimit on topic Problem solved - thanks to all viewers
What did I do to solve the problem?
The following ACL statement was added on R2 WAN interface and R1 External interface.
permit udp host <Public IP on NAT router> eq non500-isakmp host <remote peer WAN IP>
Recall that NAT-T uses udp with port 4500 (specified by non500-isakmp in the acl). I was allowing only ISAKMP (port 500)
The following ACL statement was added on R2 WAN interface and R1 External interface.
permit udp host <Public IP on NAT router> eq non500-isakmp host <remote peer WAN IP>
Recall that NAT-T uses udp with port 4500 (specified by non500-isakmp in the acl). I was allowing only ISAKMP (port 500)
"...you are never too old to learn" anon
Time to create page: 0.201 seconds