ipsec not working

Gngogh

Hi im doing a ipsec lab, and im having some problems with it.

i have to routers connected to the wan using PPP and NAT, everything is working fine, im just unable to put ipsec working. here's my ipsec config:

on R1:

!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key ciscosecret address 13.1.0.2
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
!
crypto map map1 1 ipsec-isakmp
set peer 13.1.0.2
set transform-set set1
match address 100
!
!
interface Serial1/0
ip address 11.1.0.2 255.255.255.252
encapsulation ppp
ip nat outside
crypto map map1
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
!

on R2:

!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key ciscosecret address 11.1.0.2
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
!
crypto map map1 1 ipsec-isakmp
set peer 11.1.0.2
set transform-set set1
match address 100
!
!
interface Serial1/0
ip address 13.1.0.2 255.255.255.252
encapsulation ppp
ip nat outside
crypto map map1
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
!

networker050184

How are you testing to know this is not working?

Think through your NAT. What source address is going to be on this packet after it is NAT'ed? Will that match your ACL?

Gngogh

after is NAT'ed the source address is serial 1/0

ex: packets going out the net 192.168.0.0 are translated to 11.1.0.2
the peer is the other router 13.1.0.2

so, NAT is being executed before the ipsec, i just disable nat and worked fine.. i have another router in this lab that is not using ipsec, im unable to ping it when i disable nat. how can i put this working with nat, is that possible??

DANMOH009

Gngogh

I'm assuming all your other configuration is correct, i.e nat statements etc.. but it looks like you havenet got all you phase 1 details entered.

crypto isakmp policy 1
Hash ....
Authentication ...
Group ....
LeaseTime ...
Encryption ...

Id start by using all the phase 1 attributes needed, if still doesn't work we may need to see more configuration.

Gngogh

I have left all the phase 1 attributes in their defaults... and by adding, HASH, Authentication Group LeaseTime and Encryption, it will not change a thing, because i think nat is being executed before IPSec, thus is changing everything and IPsec doesnt like.
But since you are willing to help me i will give it a try.. and let you know about the results..

DANMOH009

Can you add the NAT config so can take a look.

networker050184

Gngogh wrote: »

after is NAT'ed the source address is serial 1/0

ex: packets going out the net 192.168.0.0 are translated to 11.1.0.2
the peer is the other router 13.1.0.2

so, NAT is being executed before the ipsec, i just disable nat and worked fine.. i have another router in this lab that is not using ipsec, im unable to ping it when i disable nat. how can i put this working with nat, is that possible??

If you still want to NAT you need to deny the traffic that will traverse the IPSEC tunnel from being NAT'ed in your NAT ACL.

Gngogh

So i have changed all the default attributes of phase 1, i added this to both routers:

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
lifetime 86400
group 1

It still doesnt work when i have NAT enable... and it works when i disable it.

R1:

!
hostname R1
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp key ciscosecret address 13.1.0.2
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
!
crypto map map1 1 ipsec-isakmp
set peer 13.1.0.2
set transform-set set1
match address 100
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
!
interface Serial1/0
ip address 11.1.0.2 255.255.255.252
encapsulation ppp
ip nat outside
crypto map map1
!
!
ip nat inside source list 10 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 11.1.0.1
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
!

R2:

!
hostname R2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp key ciscosecret address 11.1.0.2
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
!
crypto map map1 1 ipsec-isakmp
set peer 11.1.0.2
set transform-set set1
match address 100
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
duplex auto
speed auto
!
interface Serial1/0
ip address 13.1.0.2 255.255.255.252
encapsulation ppp
ip nat outside
crypto map map1
!
!
ip nat inside source list 10 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 13.1.0.1
!
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
!



I think the problem is NAT and i have to add something to NAT configurations, so that the connection is made through port UDP 500. just dont know what???

DANMOH009

networker050184 wrote: »

If you still want to NAT you need to deny the traffic that will traverse the IPSEC tunnel from being NAT'ed in your NAT ACL.

Networkers bang on again, use a route map - something like this but obviously with your IPs

route-map NONAT permit 10
match ip address 110

ip access-list extended 110
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any <<<< everything else can be Nat-ed

then apply it to use nat statement - ip nat inside source route-map NONAT pool etc.........

Gngogh

networker050184 wrote: »

If you still want to NAT you need to deny the traffic that will traverse the IPSEC tunnel from being NAT'ed in your NAT ACL.

Ok. so i have to change ACL 10 to an extend.. thanks for the advice.

atorven

@DANMOH009 - For this example, why use a route-map in the NAT statement when you can use an ACL?

Gngogh

I dont understand router-map yet, all i did was, change, Standard ACL to Extend ACL and it worked fine.