Table of contents
1. Networking requirements
R1 is a router in the internal network . It accesses the external network after performing address translation through the egress NAT router, and needs to establish an IPSEC tunnel with R3 on the external network to encrypt the flow of interest.
2. Network topology
3. Configuration points
1. Configure the basic IPSEC functions of R1 and R3. The NAT traversal function of IPSEC is enabled by default and does not require manual configuration.
Note: When interconnecting with some old devices from other companies, because they do not support the NAT traversal function, an error may be reported during the negotiation and the connection cannot be established. In this case, it is recommended to disable our NAT traversal function, which can be disabled by the following command:
Ruijie(config)#crypto isakmp nat-traversal disable
2. After completing the above configuration, by default only R1 can actively initiate an IPSEC connection, and R3 cannot initiate it. If the outside is allowed to actively initiate the establishment of IPSEC, due to the working mechanism of NAT, UDP 500 and 4500 ports need to be mapped on the PAT device.
ip nat inside source static udp 10.1.1.1 500 202.100.1.1 500
ip nat inside source static udp 10.1.1.1 4500 202.100.1.1 4500
4. Configuration verification
R1#show cry isakmp sa
destination source state conn-id lifetime(second)
202.100.1.100 10.1.1.1 QM_IDLE 33 86365
RSR50-20#show cry ipsec on
Interface: GigabitEthernet 0/0
Crypto map tag:crymap, local addr 10.1.1.1
media 1500 people
==================================
item type:static, seqno:10, id=32
local ident (addr/mask/prot/port): (1.1.1.1/0.0.0.0/0/0))
remote ident (addr/mask/prot/port): (3.3.3.3/0.0.0.0/0/0))
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x262ca54c (640460108)
transform: esp-des esp-md5-hmac
in use settings={Tunnel UDP-Encaps,} //Standard NAT-T encapsulation
crypto map crymap 10
sa timing: remaining key lifetime (k/sec): (4607998/3563)
IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x3800b2ca (939569866)
transform: esp-des esp-md5-hmac
in use settings={Tunnel UDP-Encaps,}
crypto map crymap 10
sa timing: remaining key lifetime (k/sec): (4607998/3563)
IV size: 8 bytes
Replay detection support:Y