Configuring NAT with IPSEC

[garcia79]

Hello,
This is my first attempt at setting up VPN's and all seemed to be going well however, I keep getting an error message in the SA that says"CRYPTO-6-IKMP MODE FAILURE". Everything appears to be working well until phase 2, and that's where everthing goes down hill. My configurations appear correct, I've had a couple people verify them, and I am wondering if my problem could have to do with incompatabilities between ipsec and nat or the ios version I am running, which is version 12.2
Any help would be GREATLY appreciated
Thank-You

 

[mwesche]

your packets are being nat'ed before they hit the tunnel and by then the ip addresses are not valid with the access-list you specified in your crypto map.

So you need to add deny statements in your nat access list for the vpn traffic.

Also the access-list for the crypto map must be mirrored on both sides of the tunnell (ie. if one side is specifying host to network and the other side is specifying host to host or anything other than the same then you will fail phase two as well.

Additionally i had to specify a loopback address

the using

route-map nonat policy 10
match address 110
set ip next hop "loopback address here"

The match address 110 is another access list that allows traffic intended across the tunnell to do so and everything else to not go across the tunnell.

 

[jamin123]

"could have to do with incompatabilities between ipsec and nat"

If you use Network Address Translation (NAT), you should configure static NAT translations so that IPSec will work properly. In general, NAT translation should occur before the router performs IPSec encapsulation; in other words, IPSec should be working with global addresses.