Ipsec VPN Tunnel from vpn router to pix

[Jasonlees]

Thanks in advance for any help; basically trying to setup a hardware vpn from an 831 (IOS 12.4) that sits behind a dsl modem which is setup with port forwarding to forward all the ipsec udp 500, ike udp 500 and nat-d udp 500 traffic to the router. The issue is I am receiving this error when checking the status of the tunnel: MM_KEY_EXCH

I know that the vpn keys are the same, and the public ip's are showing as correct in the dst and src fields; does anyone know how to adjust this or what other issue could cause this?

Here is what the Cisco Website shows for the above message:


PIX(config)#show crypto isakmp sa
Total : 2
Embryonic : 1
dst src state pending created
192.168.254.250 10.177.243.187 MM_KEY_EXCH 0 0
You can rectify this when you configure the correct IP address or pre-shared key.

 

[Jasonlees]

Actually on the router side is this issue; it is doing the exchange from the int eth1 which i assigned a 192.168.1.2 address to, instead of its outside ip address which the modem has assigned to it and just forwards ports to the vpn router.
Here is a small diagram:

Cisco 831
ETH1 192.168.1.2
ETH0 10.1.140.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1

DSL MODEM
inside ip: 192.168.1.1
outside ip: 68.127.xxx.xxx (set up interface with port forwarding on ipsec udp 500, ike udp 500 and nat-d 4500 udp to 192.168.1.2 (Cisco 831)

showing the exchange in the router from sh crypto isakmp sa:

dst src
<REMOTE WAN IP> 192.168.1.2

What i need is for the source to be the 68.127.xxx.xxx (WAN IP)

 

[burtsbees]

It can't---the modem has to NAT, unless you take it out of the equation and let the router NAT.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Jasonlees]

What about by using port forwarding to forward the port to the router from the dsl modem?

 

[greenemk]

I noticed you were doing port forwarding into the router, but I noticed you missed one port. I have a similar setup with a 1814 sitting behind a DSL connection. You need to forward UDP 4500 into you router. When the router sinces NAT, it automatically switches to UDP 4500 (isakmp-nat) to make the connection. You can also disable it if you already know that your network uses IPSec-awareness using the following command: no crypto ipsec nat-transparency udp-encapsulation



MG

CCNA, CCNP, Sec+

 

[Jasonlees]

The port 4500 did the trick for the Cisco Router. Funny thing is we have other routers (non-cisco) that someone setup and didnt require that port to be open? But this 831 wasnt even trying to hit the remote WAN without port 4500 forwarding.