Configuring Router-to-Router Dynamic-to-Static IPSec with NAT

Document ID: 14131

Introduction

In this sample configuration, a remote router receives an IP address through part of PPP called IP Control Protocol (IPCP). The remote router uses the IP address to connect to a hub router. This configuration enables the hub router to accept dynamic IPSec connections. The remote router uses network address translation (NAT) to "join" the privately addressed devices behind it to the privately addressed network behind the hub router. The remote router knows the endpoint and can initiate connections to the hub router. But the hub router does not know the endpoint, so it cannot initiate connections to the remote router.

In this example, dr_whoovie is the remote router and sam-i-am is the hub router. An access list specifies what traffic is to be encrypted, so dr_whoovie knows what traffic to encrypt and where the sam-i-am endpoint is located. The remote router must initiate the connection. Both sides are doing NAT overload.

Prerequisites

Requirements

This document requires a basic understanding of IPSec protocol. To learn more about IPSec, please refer to An Introduction to IP Security (IPSec) Encryption.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco IOS® Software Release 12.2(24a)


• Cisco 2500 Series Routers

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document. Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

• sam-i-am

dr_whoovie

Verify

This section provides information you can use to confirm your configuration is working properly. Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

• ping Used to diagnose basic network connectivity

  This example shows a ping from the 10.1.1.1 Ethernet interface on dr_whoovie to the 10.2.2.3
  Ethernet interface on sam-i-am.
    dr_whoovie# ping
    Protocol [ip]:
    Target IP address: 10.2.2.3
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: 10.1.1.1
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.2.2.3,
    timeout is 2 seconds:
    Packet sent with a source address of 10.1.1.1

  !!!!!  Success rate is 100 percent (5/5),
    round-trip min/avg/max = 36/38/40 ms


• show crypto ipsec sa Shows the phase 2 security associations (SA)


• show crypto isakmp sa Shows the phase 1 SAs.

Sample Output

This output is from the show crypto ipsec sa command issued on the hub router.

  sam-i-am# show crypto ipsec sa
  interface: Serial0
  Crypto map tag: rtptrans, local addr. 99.99.99.1
  local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
  current_peer: 100.100.100.1
  PERMIT, flags={}
  #pkts encaps: 6, #pkts encrypt: 6, #pkts digest 6
  #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0,
  #pkts decompress failed: 0, #send errors 0, #recv errors 0
  local crypto endpt.: 99.99.99.1, remote crypto endpt.: 100.100.100.1
  path mtu 1500, ip mtu 1500, ip mtu interface Serial0
  current outbound spi: 52456533
  inbound esp sas:
  spi: 0x6462305C(1684156508)
  transform: esp-des esp-md5-hmac
  in use settings ={Tunnel, }
  slot: 0, conn id: 2000, flow_id: 1, crypto map: rtptrans
  sa timing: remaining key lifetime (k/sec): (4607999/3510)
  IV size: 8 bytes
  replay detection support: Y
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  spi: 0x52456533(1380279603)
  transform: esp-des esp-md5-hmac
  in use settings ={Tunnel, }
  slot: 0, conn id: 2001, flow_id: 2, crypto map: rtptrans
  sa timing: remaining key lifetime (k/sec): (4607999/3510)
  IV size: 8 bytes
  replay detection support: Y
  outbound ah sas:
  outbound pcp sas:
This command shows IPSec SAs that are built between the peer devices. The encrypted tunnel connects the 100.100.100.1 interface on dr_whoovie and the 99.99.99.1 interface on sam-i-am. This tunnel carries traffic going between networks 10.2.2.3 and 10.1.1.1. Two Encapsulating Security Payload (ESP) SAs are built inbound and outbound. The tunnel is established even though sam-i-am does not know the peer IP address (100.100.100.1). Authentication Header (AH) SAs are not used since there are no AH configured.

These outputs samples show that the serial interface 0 on dr_whoovie receives an IP address of 100.100.100.1 through IPCP.

• Before the IP address is negotiated:

  dr_whoovie#show interface serial0
  Serial0 is up, line protocol is up
  Hardware is HD64570
  Internet address will be negotiated using IPCP
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set


• After the IP address is negotiated:
    dr_whoovie#show interface serial0
    Serial0 is up, line protocol is up
    Hardware is HD64570
    Internet address is 100.100.100.1/32
    MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, loopback not set

This example was set up in a lab with the peer default ip address command to assign an IP address at the remote end of the serial 0 interface on dr_whoovie. The IP pool is defined with the ip local pool command at the remote end.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

• debug crypto ipsec Shows the IPSec negotiations of phase 2.


• debug crypto isakmpShows the Internet Security Association and Key Management Protocol (ISAKMP) negotiations of phase 1.


• debug crypto engine Shows the traffic that is encrypted.


• debug ip nat detailed (Optional) Verifies the operation of the NAT feature by displaying information about every packet that the router translates.

Caution: This command generates a large amount of output. Use this command only when traffic on the IP network is low.


• clear crypto isakmpClears the SAs related to phase 1.


• clear crypto sa Clears the SAs related to phase 2.


• clear ip nat translationClears dynamic NAT translations from the translation table.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

Related Information

• IPSec Support Page

Technical Support - Cisco Systems

All contents are Copyright © 1992-2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.