This resolves VPN issues with peers behind NAT devices. You can view the identites being passed between VPN peers in IOS by debugging crypto isakmp. Get Fast Service & Low Prices on Z1-Hardware-AU Meraki Z1 Cloud Managed Teleworker Gateway (AU Plug).
The way I resolve this in IOS is to configure the router to match the identity of the remote side's private IP address, for example:Ĭrypto keyring vpnkeyring pre-shared-key address remotePublicIP key Test123Ĭrypto isakmp profile isakmpProfile1 match address identity remotePrivateIP 255.255.255.255Ĭrypto map Outside_map 1 ipsec-isakmp set peer remotePublicIP
What this means is that in IOS when it recieved VPN connection request and you have configured it to match/expect the ode tity of the remote side's public IP, but the remote side behind NAT is setting its identity using a private IP, the connection is denied and Phase 1 fails. One thing I want to mention, keeping in mind Ive never used a Z1, is that when Im dealing with a VPN between Cisco IOS routers and a remote VPN peer behind a NAT device using private IP addresses on its interfaces, is that the remote device using NAT Traversal will set its IKE identity using its private interface address if its using IP addresses as the identity which most do by default.
0 kommentar(er)
