Personal tools
You are here: Home Networking Cisco IOS Network address Translation (NAT) support for IPSec ESP
 

Network address Translation (NAT) support for IPSec ESP

How to allow multiple host-to-host IPSEC tunnels through a Cisco IOS firewall with NAT

I have a setup where an IPSec VPN requires three subnets to be supported. One end of the VPN is a Cisco 800 series router on a DSL line with a static public IP address. The other end is OpenSwan v2.4.7 running on a host behind a Cisco IOS router with NAT, with a single static public IP address.

The issue was that when more than one IPSec tunnel was active from a remote site, only one would 'work', and the others would go down. Individually each one would forward packets reliably.

The underlying problem was not at either of the IPSec VPN tunnel termination hosts (i.e. the remote Cisco router, or the OpenSwan host), but the Cisco NAT in front of the OpenSwan host. The solution was to enable "NAT Support for IPSec ESP - Phase II feature". Prior to enabling this, only one ESP entry was in the NAT table per host. Once the 'spi-match' NAT entry was added (and traffic put through the VPN), there were more than entry per host [1].

The following was added to the configuration (bold), with the assumption of the static NAT entries:

ip access-list extended spi-match-list
  permit ip any any
exit
ip nat service list spi-match-list esp spi-match

ip nat inside source static udp 192.168.2.2  500 interface FastEthernet4 500 extendable 
ip nat inside source static esp 192.168.2.2      interface FastEthernet4

Links

The NAT Support for IPSec ESP— Phase II feature

"Configuring IPSec Through NAT" section

"Configuring IPSec ESP Through NAT: Example" section

 

Appendices

 

[1] ESP NAT entries

#show ip nat translations esp
Pro Inside global         Inside local          Outside local         Outside global
esp 203.97.8.218:0        192.168.2.2:0         ---                   ---
esp 203.97.8.218:0        192.168.2.2:2044CE61  202.154.159.217:0     202.154.159.217:0
esp 203.97.8.218:0        192.168.2.2:24A4A82C  202.154.159.217:0     202.154.159.217:0
esp 203.97.8.218:0        192.168.2.2:24CF1DEE  150.101.116.192:0     150.101.116.192:0
esp 203.97.8.218:0        192.168.2.2:291EC59A  150.101.116.192:0     150.101.116.192:0
esp 203.97.8.218:0        192.168.2.2:4EC11337  150.101.116.192:0     150.101.116.192:0
esp 203.97.8.218:0        192.168.2.2:8EC7D07C  202.154.159.217:0     202.154.159.217:0
esp 203.97.8.218:0        192.168.2.2:AD923142  150.101.116.192:0     150.101.116.192:0
esp 203.97.8.218:0        192.168.2.2:B2A71E4F  150.101.116.192:0     150.101.116.192:0
esp 203.97.8.218:0        192.168.2.2:F6D7AC83  202.154.159.217:0     202.154.159.217:0

 

 

Document Actions