IPSec Behind Nat



  • We are having an issue with an IPSec tunnel with one of our clients. We need to communicate from our LAN Network (172.16.10.0/24) to DST 10.1.12.1. To the other endpoint all traffic should look from IP Address 192.168.100.1.

    None of the  interfaces has been configured to have a physical iP from subnet 192.168.100.0/24

    Phase 1 is working but we cannot establish phase2.

    We did the following settings with no Luck:

    Phase 2:
    Mode: Tunnel IPv4
    Local Network: 192.168.100.1
    Remote Network: 10.1.12.1
    Protocol: ESP
    Encryption Algorithm: AES256 (others may also be checked, but be sure to leave 3DES checked)
    Hash Algorithm: SHA1
    PFS Key Group: 5
    Lifetime: 300

    Also:

    Mode: Tunnel IPv4
    Local Network: 172.16.10.0/24
    NAT/BINAT: 192.168.100.1
    Remote Network: 10.1.12.1
    Protocol: ESP
    Encryption Algorithm: AES256 (others may also be checked, but be sure to leave 3DES checked)
    Hash Algorithm: SHA1
    PFS Key Group: 5
    Lifetime: 300

    From the other side (cisco ASA) all settings are correct. Can you provide me all the steps that we must do from our side?

    Thank you



  • I believe your real subnet must match your binat subnet. Try making your local subnet 172.16.10.1 or something to match.