Ruijie Networks—VPN function—IPSEC extended configuration—IPSec NAT traversal configuration

Table of contents

1. Networking requirements

2. Network topology

3. Configuration points

4. Configuration verification

---

 

1. Networking requirements

R1 is a router in the internal network . It accesses the external network after performing address translation through the egress NAT router, and needs to establish an IPSEC tunnel with R3 on the external network to encrypt the flow of interest.

2. Network topology

3. Configuration points

1. Configure the basic IPSEC functions of R1 and R3. The NAT traversal function of IPSEC is enabled by default and does not require manual configuration.

Note: When interconnecting with some old devices from other companies, because they do not support the NAT traversal function, an error may be reported during the negotiation and the connection cannot be established. In this case, it is recommended to disable our NAT traversal function, which can be disabled by the following command:

Ruijie(config)#crypto isakmp nat-traversal disable

2. After completing the above configuration, by default only R1 can actively initiate an IPSEC connection, and R3 cannot initiate it. If the outside is allowed to actively initiate the establishment of IPSEC, due to the working mechanism of NAT, UDP 500 and 4500 ports need to be mapped on the PAT device.

ip nat inside source static udp 10.1.1.1 500 202.100.1.1 500

ip nat inside source static udp 10.1.1.1 4500 202.100.1.1 4500

4. Configuration verification

R1#show cry isakmp sa

 destination       source            state                    conn-id           lifetime(second)

 202.100.1.100     10.1.1.1          QM_IDLE                  33                86365           

RSR50-20#show cry ipsec on

Interface: GigabitEthernet 0/0

         Crypto map tag:crymap, local addr 10.1.1.1

         media 1500 people

         ==================================

         item type:static, seqno:10, id=32

         local  ident (addr/mask/prot/port): (1.1.1.1/0.0.0.0/0/0))

         remote  ident (addr/mask/prot/port): (3.3.3.3/0.0.0.0/0/0))

         PERMIT

         #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

         #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

         #send errors 0, #recv errors 0

         Inbound esp sas:

              spi:0x262ca54c (640460108)

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel UDP-Encaps,}                                 //Standard NAT-T encapsulation

               crypto map crymap 10

               sa timing: remaining key lifetime (k/sec): (4607998/3563)

               IV size: 8 bytes

               Replay detection support:Y

         Outbound esp sas:

              spi:0x3800b2ca (939569866)

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel UDP-Encaps,}

               crypto map crymap 10

               sa timing: remaining key lifetime (k/sec): (4607998/3563)

               IV size: 8 bytes

               Replay detection support:Y