Here is IPSec related config on Cisco 3800 uses dynamic crypto map
approach, as we don't know which public IP, Service Provider uses for
outside NAT:
crypto ipsec transform-set office esp-des esp-md5-hmac
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
crypto dynamic-map DYNAMAP 5555
set security-association lifetime seconds 28800
set transform-set office
set pfs group2
match address test-gsm
reverse-route
crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
lifetime 3600
!
ip access-list extended test-gsm
permit ip any 10.109.51.96 0.0.0.31
interface GigabitEthernet0/1
description Outbound
ip address X.X.158.20 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-fragments 64
ip policy route-map counters
duplex auto
speed auto
media-type rj45
no cdp enable
crypto map RETAIL
max-reserved-bandwidth 90
end
MSR-900 config:
Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.
Crypto SA on MSR, please notice that NAT-T is not negotiated:
We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.
Now it's working, thanks.
acl number 3001
rule 0 permit ip source 10.109.51.96 0.0.0.31
ike proposal 1
dh group2
authentication-algorithm md5
sa duration 3600
ike peer 1
pre-shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXX
remote-address XXX.XXX.158.20
ipsec proposal office
#
ipsec policy vpn 1 isakmp
security acl 3001
pfs dh-group2
ike-peer 1
proposal office
sa duration time-based 28800
interface Ethernet0/0
port link-mode route
ip address dhcp-alloc
ipsec policy vpn
interface Loopback0
ip address 10.109.51.126 255.255.255.255
Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.
Crypto SA on MSR, please notice that NAT-T is not negotiated:
<Remote-Site> displ ipsec sa =============================== Interface: Ethernet0/0 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "vpn" sequence number: 1 mode: isakmp ----------------------------- connection id: 3 encapsulation mode: tunnel perfect forward secrecy: DH group 2 tunnel: local address: 192.168.1.201 remote address: XX.XXX.158.20 flow: sour addr: 10.109.51.96/255.255.255.224 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP [inbound ESP SAs] spi: 3957060744 (0xebdbf488) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 ---- More ---- sa duration (kilobytes/sec): 1843200/28800 sa remaining duration (kilobytes/sec): 1843200/28420 max received sequence-number: 1 anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3564383543 (0xd4742d37) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 1843200/28800 sa remaining duration (kilobytes/sec): 1843199/28420 max received sequence-number: 5 udp encapsulation used for nat traversal: N <Remote-Site>displ ike sa total phase-1 SAs: 1 connection-id peer flag phase doi ---------------------------------------------------------------- 5 XXX.XXX.158.20 RD|ST 1 IPSEC 6 XXX.XXX.158.20 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT <Remote-Site>
We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:
ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/1
Uptime: 00:00:51
Session status: UP-ACTIVE
Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.201
Desc: (none)
IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active
Capabilities:(none) connid:8976 lifetime:00:59:06
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.109.51.96/255.255.255.224
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.
ike peer 1
nat traversal
exchange-mode aggressive
Now it's working, thanks.
<Remote-Site>debug ipsec all
<Remote-Site>debug ike all
<Remote-Site>termi mon
Info: Current terminal monitor is on.
<Remote-Site>termi deb
Info: Current terminal debugging is on.
<Remote-Site>ping -a 10.109.51.126 10.111.2.20
0 comments
Post a Comment