Is it possible to have tunnels with nat-t and without simultaneously on PIX 506 (6.3)? When I turn it on (isakmp nat-traversal 300), the tunnel with NAT-T starts working and other tunnels receive malformed payloads. When I turn it off, the one ended behind NAT stops working. What should I do with it?
After I enable nat-traversal I see things like this:
IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal
Is it possible to have tunnels of both kinds simultaneously?
NAT-T should not affect the other tunnels.Your problem resides on another= point.
Investigate deeply on who initiates the tunnel (see initiator/responder i= n the syslog messages) Eventually enable NAT-T on the other side. Check the DH group on both sid= e and have a look to settings for default value=20 or not present DH group.
If you post the configurations of a tunnel that doesn't work once you en= able NAT-T....
Alex.
AM napisa³(a):
How can it reside on another point? The configuration of other routers/pixes/vpn concentrators/openswans remains untouched, when I'm enabling/disabling NAT-T on my PIX.
The other side. But I've checked it carefully and when I'm initiating the connection, tunnels ended on Cisco devices work and on OpenSWAN don't. When they are initiated from the other side, none of them work. Strange.
It can't be done. But I've checked DH, PFS and so on and everything matches.
Transform sets: crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
This is the tunnel that works after enabling NAT-T: access-list ipsec-a permit ip 192.168.240.144 255.255.255.248
172.150.10.0 255.255.255.0 crypto map internet 920 ipsec-isakmp crypto map internet 920 match address ipsec-a crypto map internet 920 set peer peer.a.ip.addr crypto map internet 920 set transform-set 3des-md5The tunnel that works after enabling NAT-T, but only when I'm initiating (ended on a Cisco device, with GRE): access-list ipsec-b permit gre host 195.187.143.1 host peer.b.ip.addr crypto map internet 890 ipsec-isakmp crypto map internet 890 match address ipsec-b crypto map internet 890 set pfs group2 crypto map internet 890 set peer peer.b.ip.addr crypto map internet 890 set transform-set 3des-sha
The tunnel that doesn't work after enabling NAT-T, no matter who initiates it: access-list ipsec-c permit ip 10.0.9.0 255.255.255.0 172.16.64.0
255.255.240.0 crypto map internet 880 ipsec-isakmp crypto map internet 880 match address ipsec-c crypto map internet 880 set pfs group2 crypto map internet 880 set peer peer.c.ip.addr crypto map internet 880 set transform-set 3des-shaOther stuff: sysopt connection permit-ipsec crypto map internet interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 300 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 3600
I still have to look at the debug output, so if I find something useful and not meaningless, I'll post it.
In article , Micha³ Iwaszko wrote: [PIX]
The difference in transform sets might be related to the problem.
Isn't policy 40 a duplicate of 30?
The lowest numbered policy has the highest priority for use amongst the transform sets the -other- end sends as being supported. I recommend re-arranging the policies so that 3DES SHA is first,
3DES MD5 second, and DES MD5 third. (Don't try DES SHA, it isn't supported in PIX 6.3.)Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.