ISAKMP NAT problem (I know it can be done but don't know how)

Discussion in 'Cisco' started by Rogier Mulder, Jan 13, 2005.

  1. I'm setting up an IPSec tunnel between two Cisco routers and a
    SonicWall 2040 in between. One of the routers (1721) is on a private
    network (192.168.16/24) behind the firewall; the other cisco box is
    somewhere on the Internet.

    The tunnel is set up by the router on the public net and the firewall
    is configured to allow IKE, IPSec and port 5400 both ways. The router
    on the private LAN can be addressed from the outside because the
    firewall provides a one2one mapping of a public address to
    192.168.16.3.

    When the router on the Internet sets a tunnel to my 1721 (the public
    NAT address!), its log shows:

    Jan 13 14:10:55.094: ISAKMP:(0:1764:HW:2): processing ID payload.
    message ID = 0 Jan 13 14:10:55.094: ISAKMP (0:268437220): ID payload
    next-payload : 8
    type : 1
    address : 192.168.16.3
    protocol : 17
    port : 0
    length : 12
    Jan 13 14:10:55.094: ISAKMP:(0:1764:HW:2):Expected CORP_Sycada profile
    doesn't match, aborting exchange

    The router probbaly expects the public IP address of my private
    router. How can I tell either my router or the other router that
    192.168.16.3 is equivalent to its public IP address?

    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key xxxxxxx address x.x.x.x
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set Sycada esp-3des esp-md5-hmac
    !
    crypto map Sycada 1 ipsec-isakmp
    description crypto map Sycada
    set peer x.x.x.x
    set transform-set Sycada
    match address 100
    access-list 100 permit ip any 192.168.101.0 0.0.0.255

    rgrds rgr

    Sycada Nederland
     
    Rogier Mulder, Jan 13, 2005
    #1
    1. Advertisements

  2. :I'm setting up an IPSec tunnel between two Cisco routers and a
    :SonicWall 2040 in between. One of the routers (1721) is on a private
    :network (192.168.16/24) behind the firewall; the other cisco box is
    :somewhere on the Internet.

    :The tunnel is set up by the router on the public net and the firewall
    :is configured to allow IKE, IPSec and port 5400 both ways.

    Is that '5400' a typo? isakmp is udp 500, and NAT Traversal uses
    UDP 4500.

    :The router probbaly expects the public IP address of my private
    :router. How can I tell either my router or the other router that
    :192.168.16.3 is equivalent to its public IP address?

    Try looking for a way to set the isakmp identity to 'hostname'.

    I have done IPSec through static NAT, but with a PIX.
     
    Walter Roberson, Jan 13, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.