Security e-Series

MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Go to solution

MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work



We have bunch of sites connected by IPSec tunnels between central Cisco 3800 and remote MSR-900

Everything is fine when remote site uses white IP. But when ISP provides grey one e.g., we have problem transmitting traffic over IPSec.

By my opinion, problem is that NAT-T is not engaged during setup phase.

If MSR-900 replaced by Cisco861, IPSec tunnel establishes successfully with NAT-T enabled and traffic goes by.

There is no specific IPSec NAT-T config commands on MSR, so I presume it is enabled by default.


Here is IPSec related config on Cisco 3800 uses dynamic crypto map approach, as we don't know which public IP, Service Provider uses for outside NAT:

crypto ipsec transform-set office esp-des esp-md5-hmac

crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address
crypto dynamic-map DYNAMAP 5555 set security-association lifetime seconds 28800 set transform-set office set pfs group2 match address test-gsm reverse-route crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP crypto isakmp policy 3 hash md5 authentication pre-share group 2 lifetime 3600 ! ip access-list extended test-gsm permit ip any interface GigabitEthernet0/1 description Outbound ip address X.X.158.20 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly max-fragments 64 ip policy route-map counters duplex auto speed auto media-type rj45 no cdp enable crypto map RETAIL max-reserved-bandwidth 90 end

 MSR-900 config:

acl number 3001
 rule 0 permit ip source

ike proposal 1
 dh group2
 authentication-algorithm md5
 sa duration 3600

ike peer 1
 remote-address XXX.XXX.158.20

ipsec proposal office
ipsec policy vpn 1 isakmp
 security acl 3001
 pfs dh-group2
 ike-peer 1
 proposal office
 sa duration time-based 28800

interface Ethernet0/0
 port link-mode route
 ip address dhcp-alloc
 ipsec policy vpn

interface Loopback0
ip address


Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.


Crypto SA on MSR, please notice that NAT-T is not negotiated:

<Remote-Site> displ ipsec sa
Interface: Ethernet0/0
    path MTU: 1500

  IPsec policy name: "vpn"
  sequence number: 1
  mode: isakmp
    connection id: 3
    encapsulation mode: tunnel
    perfect forward secrecy: DH group 2
        local  address:
        remote address: XX.XXX.158.20
        sour addr:  port: 0  protocol: IP
        dest addr:  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 3957060744 (0xebdbf488)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
  ---- More ----
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843200/28420
      max received sequence-number: 1
      anti-replay check enable: Y
      anti-replay window size: 32
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3564383543 (0xd4742d37)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843199/28420
      max received sequence-number: 5
      udp encapsulation used for nat traversal: N
<Remote-Site>displ ike sa
    total phase-1 SAs:  1
    connection-id  peer            flag        phase   doi
     5             XXX.XXX.158.20   RD|ST         1     IPSEC
     6             XXX.XXX.158.20   RD|ST         2     IPSEC

  flag meaning



We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:


ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/1
Uptime: 00:00:51
Session status: UP-ACTIVE     
Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none)
      Desc: (none)
  IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active 
          Capabilities:(none) connid:8976 lifetime:00:59:06
  IPSEC FLOW: permit ip 
        Active SAs: 2, origin: dynamic crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748

Please suggest anything kindly.







Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Maybe You should try this:


# Enable the NAT traversal function for IKE peer peer1. 

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] nat traversal

Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Hello, Marj


Thank you for reply.


You right, I missed that in documentation, I should explicitly define NAT traversal for the peer.
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.


ike peer 1
 nat traversal
 exchange-mode aggressive

Now it's working, thanks.