Hi PJ The first link clearly explains how ICMP works with PAT using sequencial numbers . For ESP, the link says we need to use SPI matching using "ip nat service-list" command.
The issue is that I observing the ESP with PAT process working using the SPI matching logic without configuring SPI matching configuration (NAT Support for IPSec ESP - Phase II. Tried reloading but I still see it working without configuration of "ip nat service-list" on the PAT router and "crypto ipsec nat-transparency spi-matching" on the IPSec endpoints. With regards Kings On Mon, Sep 27, 2010 at 7:10 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi all, > > Actually, it should work with multiple ESP tunnels and PAT with SPI > matching. That is a feature that is introduced in IOS 12.2-something.. > > Check out: > > white paper: > > > http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html > (Search for multiple ESP through PAT) > > Feature guide: > > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.html#wp1057826 > > I remember this as I was playing around with it once, and I know that at > one time, the SPI matching was enabled automatically, I think it was with > the 12.4T15 release (a lot of things happend then) > > HTH > > PJ > > > > On 27 sep 2010, at 15:13, Kingsley Charles wrote: > > Hi Tyson > > I had only one ESP tunnel. Is there any specific reason for it not to work? > If ICMP can be PATed then ESP can also be PATed right? > > > > With regards > Kings > > On Mon, Sep 27, 2010 at 6:39 PM, Tyson Scott <[email protected]> wrote: > >> Kingsley, >> >> >> Did you have more than one IPSec session going thru the router? If it >> automatically does SPI matching that is new to me but I expect it to not >> work when you do two ESP tunnels thru the router. >> >> >> Regards, >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Monday, September 27, 2010 7:53 AM >> *To:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] ESP across PAT >> >> >> Any thoughts? >> >> On Sat, Sep 25, 2010 at 7:24 PM, Kingsley Charles < >> [email protected]> wrote: >> >> Hi all >> >> >> We all know that NAT/PAT and firewall might break IPSec. We use NAT-T, >> IPSec over UDP and IPSec over TCP. >> >> >> Some firewall will not inspect ESP traffic hence by wrapping ESP into TCP >> or UDP would solve the porblem. >> >> >> Another global problem is NAT or PAT in between IPSec peers. >> >> >> AH won't work either with NAT or PAT as it authenticates the whole packet. >> So for now lets forget about AH. >> >> >> ESP doesn't authenticate the whole header and hence we can make it work >> across NAT or PAT devices. >> >> >> Without NAT-T, we can still have ESP across NAT devices by having the >> remote device to have peer configured as the NATed address. >> >> >> The interesting topic is ESP over PAT. The problem is that ESP doesn't >> have a port number. How does the PAT device translate the ESP and thus it >> breaks ESP. Here comes NAT-T which wraps ESP into UDP using port 4500 and >> hence PAT devices can translate those wrapped packets. >> >> >> I was trying ESP over PAT to see how does IOS breaks IPSec. But it did >> work. It tracks the translation using the ESP SPI number. I didn't have the >> IPSec >> >> peer and PAT router for "ip nat service" i.e., ESP SPI matching. >> >> >> Which means IOS routers doing PAT doesn't break ESP and is able to handle >> it. >> >> >> In the same lines, I used to wonder how IOS PAT routers handle ping >> across. The ICMP echo-request packets also doesn't have port numbers but I >> see IOS router tracking ICMP requests translations too. >> >> >> >> So when did this change happen in IOS? IOS router doing PAT doesn't break >> IPSec using ESP. >> >> >> Please share your thoughts >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
