HPE Community
Security e-Series
1819960 Members
3481 Online
109607 Solutions
New Discussion

MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

 
SOLVED
Go to solution
telelvis
Collector

‎11-25-2012 11:31 PM - last edited on ‎06-02-2013 09:05 PM by

‎11-25-2012 11:31 PM - last edited on ‎06-02-2013 09:05 PM by

MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Hello,

 

We have bunch of sites connected by IPSec tunnels between central Cisco 3800 and remote MSR-900

Everything is fine when remote site uses white IP. But when ISP provides grey one e.g. 192.168.1.200, we have problem transmitting traffic over IPSec.

By my opinion, problem is that NAT-T is not engaged during setup phase.

If MSR-900 replaced by Cisco861, IPSec tunnel establishes successfully with NAT-T enabled and traffic goes by.

There is no specific IPSec NAT-T config commands on MSR, so I presume it is enabled by default.

 

Here is IPSec related config on Cisco 3800 uses dynamic crypto map approach, as we don't know which public IP, Service Provider uses for outside NAT:

crypto ipsec transform-set office esp-des esp-md5-hmac

crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0

crypto dynamic-map DYNAMAP 5555
 set security-association lifetime seconds 28800
 set transform-set office
 set pfs group2
 match address test-gsm
 reverse-route
crypto map RETAIL 40000 ipsec-isakmp dynamic DYNAMAP

crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
ip access-list extended test-gsm
 permit ip any 10.109.51.96 0.0.0.31

interface GigabitEthernet0/1
 description Outbound
 ip address X.X.158.20 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly max-fragments 64
 ip policy route-map counters
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 crypto map RETAIL
 max-reserved-bandwidth 90
end

 MSR-900 config:

acl number 3001
 rule 0 permit ip source 10.109.51.96 0.0.0.31

ike proposal 1
 dh group2
 authentication-algorithm md5
 sa duration 3600

ike peer 1
 pre-shared-key cipher XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 remote-address XXX.XXX.158.20

ipsec proposal office
#
ipsec policy vpn 1 isakmp
 security acl 3001
 pfs dh-group2
 ike-peer 1
 proposal office
 sa duration time-based 28800

interface Ethernet0/0
 port link-mode route
 ip address dhcp-alloc
 ipsec policy vpn

interface Loopback0
 ip address 10.109.51.126 255.255.255.255

 

Please see attached MSR-900 debug, it is too long to post it here, you can see that all security associations being established but NAT-T not detected however.

 

Crypto SA on MSR, please notice that NAT-T is not negotiated:

<Remote-Site> displ ipsec sa
===============================
Interface: Ethernet0/0
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "vpn"
  sequence number: 1
  mode: isakmp
  -----------------------------
    connection id: 3
    encapsulation mode: tunnel
    perfect forward secrecy: DH group 2
    tunnel:
        local  address: 192.168.1.201
        remote address: XX.XXX.158.20
    flow:
        sour addr: 10.109.51.96/255.255.255.224  port: 0  protocol: IP
        dest addr: 0.0.0.0/0.0.0.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 3957060744 (0xebdbf488)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
  ---- More ----
                
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843200/28420
      max received sequence-number: 1
      anti-replay check enable: Y
      anti-replay window size: 32
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3564383543 (0xd4742d37)
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa duration (kilobytes/sec): 1843200/28800
      sa remaining duration (kilobytes/sec): 1843199/28420
      max received sequence-number: 5
      udp encapsulation used for nat traversal: N
<Remote-Site>displ ike sa
    total phase-1 SAs:  1
    connection-id  peer            flag        phase   doi
  ----------------------------------------------------------------
     5             XXX.XXX.158.20   RD|ST         1     IPSEC
     6             XXX.XXX.158.20   RD|ST         2     IPSEC

  flag meaning
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<Remote-Site>

 

 

We got IKE phase 2 and IPSec negotiated successfully on CIsco 3800 also, you can see ICMP packet being recevied and sent, but replies vanished somewhere on ISP NAT peers:

 

ru-msk-c3845-vpn#sh crypto sess remo X.X.8.193 de
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/1
Uptime: 00:00:51
Session status: UP-ACTIVE     
Peer: X.X.8.193 port 3324 fvrf: (none) ivrf: (none)
      Phase1_id: 192.168.1.201
      Desc: (none)
  IKE SA: local XXX.XXX.158.20/500 remote X.X.8.193/3324 Active 
          Capabilities:(none) connid:8976 lifetime:00:59:06
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.109.51.96/255.255.255.224 
        Active SAs: 2, origin: dynamic crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 1830689/28748
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 1830689/28748

Please suggest anything kindly.

Thanks!

 

 

 

 

0 Kudos
2 REPLIES 2
MarJ
Advisor

‎11-26-2012 06:02 AM

‎11-26-2012 06:02 AM

Solution

Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Maybe You should try this:

 

# Enable the NAT traversal function for IKE peer peer1. 

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] nat traversal
0 Kudos
telelvis
Collector

‎11-26-2012 10:03 PM

‎11-26-2012 10:03 PM

Re: MSR 900 + Cisco, site-to-site IPSec, NAT-T doesn't work

Hello, Marj

 

Thank you for reply.

 

You right, I missed that in documentation, I should explicitly define NAT traversal for the peer.
In addition to that, IKE aggressive mode should be enabled, because of dynamic IP of remote-site router.

 

ike peer 1
 nat traversal
 exchange-mode aggressive

Now it's working, thanks.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.