Passing IPSEC through NAT

Grigsby · 04-03-2009, 01:16 PM

I am trying to pass some IPSEC traffic through a NAT gateway that I have. I have not yet gotten to the ISCW material, and wondered if someone had some insight into this. Looks like because of the way NAT modifies the headers, the VPN server discards the traffic. I am searching for a configuration, but thought I would give it a shot here. I am trying to establish an IPSEC tunnel through the NAT Gateway to a VPN server off site. Thanks in advance!

ilcram19-2 · 04-03-2009, 01:53 PM

some vpn technologies like dmvpn can work using NAT- T it would requied open a udp ports here is an example

Configuring NAT Transparent Mode for IPSec on the VPN 3000 Concentrator - Cisco Systems

Grigsby · 04-03-2009, 02:22 PM

Looks like many versions of IOS are by default set for IPSEC Nat traversal. It wraps the traffic in a UDP header and trailer that keeps the original traffic intact. Unfortunately it looks like my 2400 IOS may not do that. A one to one NAT configuration works though, I'll just have to lock down all the unneeded ports through an ACL. Thanks for the help!

Grigsby · 06-03-2009, 07:19 PM

I actually found, and this is just for an FYI sake, but NAT-T works for client based, out bound connections. Not inbound connections to an IPSEC server.

rossonieri#1 · 06-04-2009, 08:08 AM

hi grigsby,

Quote:

I actually found, and this is just for an FYI sake, but NAT-T works for client based, out bound connections. Not inbound connections to an IPSEC server.

i'm sorry, but what do you mean by that?

mzinz · 06-04-2009, 03:31 PM

Quote:

Originally Posted by rossonieri#1

hi grigsby,

i'm sorry, but what do you mean by that?

I think he is saying that if he has a host initiate a RA connection from inside the NAT device, it connects.

What type of VPN are you trying to establish when it fails? What type of errors are you getting?
'sh crypto isakmp sa'
'sh crypto ipsec sa'

rossonieri#1 · 06-04-2009, 06:31 PM

hi mzinz,

so, basically what he means under this simple scenario perhaps :

site-A --- VPN server --- NAT --- cloud --- NAT --- VPN client --- site-B

the NAT-T, it will only work for the site-B side?
hmm, dont you think he will need both NAT devices to do the NAT-T in order to succesfully connect both sites?

Grigsby · 01:00 PM

Yeah, so this was more of a real world experience than say a theoretical / study situation. I had a hard time finding where on the Cisco site or on any Cisco documentation that really laid out its intended use. rossonieri#1 had the scenario right.

I had a customer who called me with this problem. I work for a service provider so I control the CPE on site and the cloud where the IPSEC VPN server resides. The client connections are all going to be coming from off network, at least off network from my perspectiv(other ISPs). I even labbed this up with Dynamips using different IOS versions and hardware platforms.

What I found was that NAT-T was working as advertised through the nat gateways that that client connections were coming from. But the connections inbound to the IPSEC VPN server were failing because of the checksum. In other words, NAT was modifying some portion of the payload, which was causing it to fail the calculated checksum. I couldnt really tell which part though because it was all encrypted traffic, and I couldn't read the packets contents.

The configuration on the NAT Gateway on the server side was a basic NAT setup, and I had done a one to one nat translation to the inside server IP from a public that I had routed it from my edge. I will say that I am running MPLS and VRF routing in production, but I had labbed it without MPLS and VRF routing to the same result.

The IPSEC server I used in the LAB was a windows 2003 server. I tried both certificates and just a pre-shared pass phrase. The customer who I was working with had a Cisco 2800 with IPSEC Server configured. The customer was using ISAKMP for authentication, which was coming in on UDP 500, and then the Cisco is supposed to udp encapsulate the IPSEC traffic over UDP port 4500, through NAT.

This was able to work when I moved the IPSEC VPN server from behind its local NAT Gateway and gave it a public IP to the physical interface and not by way of NAT. Meaning I had to route it a block to the CPE, assign the block to an interface on the CPE, and have the server interface with it.

This is a feature that is enabled by default on the Cisco IOS, and you can turn it off. But its kinda like CEF, it comes on by default on most IOS. As for the debug commands mentioned before, I couldn't use because they are for use on the IPSEC server, but they don't look for traffic passing through NAT.

The command to turn it on / off is something like "Crypto ipsec ...udp-encapsulation". Forgive me I am not in front an available IOS at the moment.

This is really long winded I know, but I figure if you were really interested I would give you the nitty-gritty.

Grigsby · 06-05-2009, 10:05 PM

Also if any of you are familiar with this, and think I missed it completely, let me know. I spent nearly a week researching this thing and if it does work differently than I found that would be great. I just started ISCW, maybe it will rear its head there.