NAT over IPSec problem !!

Discussion in 'Cisco' started by yellow, Jan 23, 2007.

  1. yellow

    yellow Guest

    Hi,

    Two sites (A & B) are interconnected with an ipsec tunnel and there're
    two networks configured under the same crypto acl.

    ip access-list extended vpnams1-vpnbud1
    permit ip host 210.81.15.112 10.10.0.0 0.0.255.255 <--net A
    permit ip host 210.81.15.112 172.16.128.0 0.0.0.63 <--net B

    We found problem that site B unable to establish SA with net B and
    received following error messages

    CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
    at x.x.x.x

    But if net A was taken out from the crypto acl, then SA to net B can
    be established.

    One thing : In router B, it performs NAT on the ipsec tunnel. Is it due
    to ipsec/NAT encapsulation issue ?

    The router is running IOS 12.3.8T4

    Thanks,
    yellow, Jan 23, 2007
    #1
    1. Advertising

  2. On 2007-01-23 06:27:45 +0100, "yellow" <> said:

    >
    > ip access-list extended vpnams1-vpnbud1
    > permit ip host 210.81.15.112 10.10.0.0 0.0.255.255 <--net A
    > permit ip host 210.81.15.112 172.16.128.0 0.0.0.63 <--net B
    >
    > We found problem that site B unable to establish SA with net B and
    > received following error messages
    >
    > CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
    > at x.x.x.x
    >
    > But if net A was taken out from the crypto acl, then SA to net B can
    > be established.



    Hello,

    Please post the crypto-map settings and the isakmp lines for both
    router. I might help you.

    Cheers,

    R.
    Robert Langdon, Jan 24, 2007
    #2
    1. Advertising

  3. yellow

    yellow Guest

    Hi,

    Here's two routers crypto map & isakmp profile setting :

    RouterA --
    crypto isakmp policy 30
    encr 3des
    authentication pre-share
    group 2
    !
    crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
    !
    !
    crypto map RouterA local-address FastEthernet0/0
    crypto map RouterA 1 ipsec-isakmp
    set peer x.x.x.x
    set transform-set esp-3des-sha
    match address RouterA-RouterB
    !
    ip access-list extended RouterA-RouterB
    permit ip host 210.81.15.112 10.10.0.0 0.0.255.255
    permit ip host 210.81.15.112 172.16.128.0 0.0.0.63

    RouterB -
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    !
    crypto map RouterB 1012 ipsec-isakmp
    set peer x.x.x.x
    set transform-set esp-3des-sha
    match address RouterB-RouterA
    !
    ip access-list extended RouterB-RouterA
    permit ip 172.16.128.0 0.0.0.63 host 210.81.15.112
    permit ip 10.10.0.0 0.0.255.255 host 210.81.15.112

    Thanks
    On 1¤ë24¤é, ¤W¤È8®É33¤À, Robert Langdon <> wrote:
    > On 2007-01-23 06:27:45 +0100, "yellow" <> said:
    >
    >
    >
    > > ip access-list extended vpnams1-vpnbud1
    > > permit ip host 210.81.15.112 10.10.0.0 0.0.255.255 <--net A
    > > permit ip host 210.81.15.112 172.16.128.0 0.0.0.63 <--net B

    >
    > > We found problem that site B unable to establish SA with net B and
    > > received following error messages

    >
    > > CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
    > > at x.x.x.x

    >
    > > But if net A was taken out from the crypto acl, then SA to net B can
    > > be established.Hello,

    >
    > Please post the crypto-map settings and the isakmp lines for both
    > router. I might help you.
    >
    > Cheers,
    >
    > R.
    yellow, Jan 24, 2007
    #3
  4. yellow

    AstralPilot Guest

    On 2007-01-24 04:18:50 +0100, "yellow" <> said:

    > ip access-list extended RouterA-RouterB
    > permit ip host 210.81.15.112 10.10.0.0 0.0.255.255
    > permit ip host 210.81.15.112 172.16.128.0 0.0.0.63
    >
    > ip access-list extended RouterB-RouterA
    > permit ip 172.16.128.0 0.0.0.63 host 210.81.15.112
    > permit ip 10.10.0.0 0.0.255.255 host 210.81.15.112


    Hi,

    I had cases where the order of the acl faced issues when it was not in line.
    So, put the access-list on both routers in line. It might help.

    Cheers,

    R.
    AstralPilot, Jan 24, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    677
  2. AM
    Replies:
    0
    Views:
    640
  3. AM
    Replies:
    1
    Views:
    545
  4. AM
    Replies:
    0
    Views:
    444
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    878
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page