Solved

IPSEC VPN between two Cisco fails with NAT in between

Posted on 2013-01-17
5
1,156 Views
Last Modified: 2013-02-01
Hi,

I'm having some problems with a VPN tunnel ... basic setup is two current Cisco routers (880 series) with up-to-date IOS. One side has a fixed IP address, the other is using a 4G uplink via an external router. This has a dynamic IP towards the Internet, static RFC IP towards the Cisco. Phase 1 is set up correctly, but no packets are transmitted via the tunnel.

We've set up the whole config in a GNS sim, using basically the some config with copy&paste from the live systems. When not using NAT on the "Internet" router, the VPN connection comes up with both P1 and P2, and transfer via the VPN link works fine. As soon as I activate NAT on the "Internet" router (and after clearing and re-establishing the IKE connection), transfer now runs exclusively on UDP 4500 (as it's supposed to), but no packets seem to be arriving on the remote end, no matter from which end I do a ping. Displaying packets ("debug ip packet") and the interface counters confirm that packets are arriving, but somehow the ipsec sa does not show any received packets, neither ones that are decoded, nor otherwise ...

I'm more or less at a loss to further debug this issue ... from all I know and see, the VPN ought to be working ...
0
Comment
Question by:Garry-G
  • 4
5 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38787108
You would need to configure NAT exempt for ipsec traffic

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Got to "Network Address Translation (NAT) and IPSec VPN Tunnels" section
0
 
LVL 17

Author Comment

by:Garry-G
ID: 38787227
The two endpoints do not do NAT. NAT is exclusively run on the 4G-gateway, on which I can't disable NAT, as it's part of the provider network ... and routing the internal (RFC-)IP through the Internet doesn't really work either ;)
0
 
LVL 17

Author Comment

by:Garry-G
ID: 38818845
OK, here's the details with config excerpts that should include everything needed to put this into GNS3, and some debugging/analyzing info:

----
Site A (static IP):

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNVPN 10
 set transform-set L2L
 set reverse-route distance 200
 match address VPNNETZE
 reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic DYNVPN
!
interface FastEthernet0/0
 description WAN1 phys.
 ip address 192.168.150.160 255.255.255.192
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet1/0
 description LAN
 ip address 105.1.5.70 255.0.0.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.150.190
!
ip access-list extended VPNNETZE
 permit ip any 106.0.0.0 0.255.255.255

------------------------

Site B (dynamic IP, outgoing NAT on the gateway):

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key test address 192.168.150.160
crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 192.168.150.160
 set transform-set L2L
 set reverse-route distance 200
 match address VPNNETZE
 reverse-route static
!
interface FastEthernet0/0
 description WAN1 physikalisch - LTE Modem
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN
!
interface FastEthernet1/0
 description VLAN1 LAN
 ip address 106.1.5.2 255.0.0.0
 duplex auto
 speed auto
!
ip access-list extended VPNNETZE
 permit ip 106.0.0.0 0.255.255.255 105.0.0.0 0.255.255.255

----------------------------

Gateway (simulating the Internet and the NATing gateway):

interface FastEthernet0/0
 ip address 192.168.150.190 255.255.255.192
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
!
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any

------------------------------------

No matter if NAT is enabled or not, the ISAKMP SA is up:

SiteA#sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.150.160 192.168.150.190 QM_IDLE           1005    0 ACTIVE

SiteB#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.150.160 192.168.2.2     QM_IDLE           1005    0 ACTIVE

But with NAT on the gateway, pings do not get through:

SiteB#ping 105.1.5.70 source fa1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.....

Packets are encrypted, though:

SiteB#show crypto ips sa

interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 192.168.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
   current_peer 192.168.150.160 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12 <<<<<<<<<<<<<<<<
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 192.168.2.2, remote crypto endpt.: 192.168.150.160
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x4B38900E(1261998094)

The remote end does not accept those packets though:

SiteA#show crypto ip
*Mar  1 01:42:37: %SYS-5-CONFIG_I: Configured from console by admin on consoles sa

interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 192.168.150.160

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
   current_peer 192.168.150.190 port 4500
     PERMIT, flags={}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <<<<<<<<<<<
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.150.160, remote crypto endpt.: 192.168.150.190
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBD4A7DDC(3175775708)

On the gateway, I see the NAT translation correctly:

Pro Inside global      Inside local       Outside local      Outside global
udp 192.168.150.190:4500 192.168.2.2:4500 192.168.150.160:4500 192.168.150.160:4500

Site B notices it's behind NAT and switches to UDP 4500 correctly.

Anyway, I do get errors on either side:

*Mar  1 01:41:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.150.160, prot=50, spi=0x32040000(839122944), srcaddr=192.168.150.190

and

*Mar  1 01:29:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.2.2, prot=50, spi=0x32040000(839122944), srcaddr=192.168.150.160

Disabling NAT and clear ISAKMP, everything works as expected:

SiteB#clear crypto isa
SiteB#clear crypto sa
SiteB#ping 105.1.5.70 source fa1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2
.!!!!

What am I missing here????
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 0 total points
ID: 38825750
OK, basic cause of the problem is the "AH" part of the transform set - AH does cryptographics checksums on the headers, which are (of course) broken by the NAT process ...
0
 
LVL 17

Author Closing Comment

by:Garry-G
ID: 38843122
Resolved through other sources/research
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now