Personal tools
You are here: Home Networking Cisco IOS Network address Translation (NAT) support for IPSec ESP

Network address Translation (NAT) support for IPSec ESP

How to allow multiple host-to-host IPSEC tunnels through a Cisco IOS firewall with NAT

I have a setup where an IPSec VPN requires three subnets to be supported. One end of the VPN is a Cisco 800 series router on a DSL line with a static public IP address. The other end is OpenSwan v2.4.7 running on a host behind a Cisco IOS router with NAT, with a single static public IP address.

The issue was that when more than one IPSec tunnel was active from a remote site, only one would 'work', and the others would go down. Individually each one would forward packets reliably.

The underlying problem was not at either of the IPSec VPN tunnel termination hosts (i.e. the remote Cisco router, or the OpenSwan host), but the Cisco NAT in front of the OpenSwan host. The solution was to enable "NAT Support for IPSec ESP - Phase II feature". Prior to enabling this, only one ESP entry was in the NAT table per host. Once the 'spi-match' NAT entry was added (and traffic put through the VPN), there were more than entry per host [1].

The following was added to the configuration (bold), with the assumption of the static NAT entries:

ip access-list extended spi-match-list
  permit ip any any
ip nat service list spi-match-list esp spi-match

ip nat inside source static udp  500 interface FastEthernet4 500 extendable 
ip nat inside source static esp      interface FastEthernet4


The NAT Support for IPSec ESP— Phase II feature

"Configuring IPSec Through NAT" section

"Configuring IPSec ESP Through NAT: Example" section




[1] ESP NAT entries

#show ip nat translations esp
Pro Inside global         Inside local          Outside local         Outside global
esp         ---                   ---



Document Actions