IPSec Behind Nat
-
We are having an issue with an IPSec tunnel with one of our clients. We need to communicate from our LAN Network (172.16.10.0/24) to DST 10.1.12.1. To the other endpoint all traffic should look from IP Address 192.168.100.1.
None of the interfaces has been configured to have a physical iP from subnet 192.168.100.0/24
Phase 1 is working but we cannot establish phase2.
We did the following settings with no Luck:
Phase 2:
Mode: Tunnel IPv4
Local Network: 192.168.100.1
Remote Network: 10.1.12.1
Protocol: ESP
Encryption Algorithm: AES256 (others may also be checked, but be sure to leave 3DES checked)
Hash Algorithm: SHA1
PFS Key Group: 5
Lifetime: 300Also:
Mode: Tunnel IPv4
Local Network: 172.16.10.0/24
NAT/BINAT: 192.168.100.1
Remote Network: 10.1.12.1
Protocol: ESP
Encryption Algorithm: AES256 (others may also be checked, but be sure to leave 3DES checked)
Hash Algorithm: SHA1
PFS Key Group: 5
Lifetime: 300From the other side (cisco ASA) all settings are correct. Can you provide me all the steps that we must do from our side?
Thank you
-
I believe your real subnet must match your binat subnet. Try making your local subnet 172.16.10.1 or something to match.