i feel i am almost there but I am stuck. i am experimenting ipsec behind a nat device.
Perfectly working: LAN<----->3845-router<----->internet<----->881-router<---->LAN Not working: LAN<----->3845-router<----->internet<----->nat-device<---->881-router<---->LAN According to http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html it should be easy. NAT-T should automatically kick in if it detects nat. on the nat-device i created ip nat inside source static upd 192.168.1.200 4500 interface fa4 4500 (192.168.1.200 outside interface of the 881) ip nat inside source static upd 192.168.1.200 500 interface fa4 500 on the 3845 router esp, udp ports 500 and 4500 are open. the nat router and 881 router do not have any acl's(test setup). exept for the 881 having a vpn traffic acl. result ping from 3845 router to 881: #sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 192.168.1.200 91.194.XX.YY MM_NO_STATE 2031 0 ACTIVE (deleted) I tried some options. cryptomap transport mode, crypto ipsec nat-transparency spi-matching Before posting configs and debug it is maybe better to check and walk through the basic things Kind regards, Erik _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
