IPSec Service Is Unavailable After NAT Is Enabled on the AR G3 Router

Publication Date:  2015-06-08 Views:  548 Downloads:  0
Issue Description
As shown in the following figure, the PC accesses the server after NAT is implemented on Router_1. After an IPSec tunnel is configured between Router_1 and Router_2, the tunnel fails to be set up. After the NAT service is disabled, the IPSec service becomes available.



The configuration of Router_1 is as follows:

acl number 3000                                                                
rule 5 permit ip source 10.1.1.0 0.0.0.255  
#
acl number 3101                                                                
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 3.1.1.0  0.0.0.255
#   
ipsec proposal tran1                                                           
esp authentication-algorithm sha2-256                                         
esp encryption-algorithm aes-256                                              
#                                                                              
ike proposal 5                                                                 
encryption-algorithm aes-cbc-128                                                                                                     
authentication-algorithm sha2-256                                             

ike peer spub v1                                                               
pre-shared-key cipher %^%#A'yl"vD>"K%xE#S.$|Y)0x.m8v\{^>M%222M##DK%^%#        
ike-proposal 5                                                                
remote-address 2.1.1.1
#
ipsec policy map1 10 isakmp                                                    
security acl 3101                                                             
ike-peer spub                                                                 
proposal tran1
#
nat address-group 1 1.1.1.2 1.1.1.2

interface GigabitEthernet0/0/2                                                 
ip address 1.1.1.1 255.255.255.0                                              
ipsec policy map1 
nat outbound 3000 address-group 1


Handling Process
1. Check IPSec and NAT configuration on Router_1. Check whether the configuration of IPSec and NAT ACLs are correct.

acl number 3000                                                        
rule 5 permit ip source 10.1.1.0 0.0.0.255                            
#
acl number 3101                                                                
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 3.1.1.0  0.0.0.255
#

The configuration shows that traffic with source IP address 10.1.1.0 from the PC matches the NAT ACL, including traffic that passes through the IPSec tunnel. The NAT process is preferred. For data flows generated when the PC accesses the server, the AR applies NAT before IPSec encapsulation. Therefore, the ACL is configured incorrectly.

To resolve this issue, use either of the following methods: 1) Change the source IP address in the IPSec ACL rule to the translated IP address of the PC; 2) Modify the NAT policy to cancel NAT for the data flow that needs to be encapsulated using IPSec.

2. Modify the ACL accordingly.
  • To apply NAT to the data flow before IPSec encapsulation, change the source IP address in ACL 3000 to the translated IP address.
             [Router_1] acl 3101
             [Router_1-acl-adv-3101] rule permit ip source 1.1.1.0 0.0.0.255 destination 3.1.1.0 0.0.0.255
  • To cancel NAT for the data flow that needs to be encapsulated using IPSec, add a deny rule to the ACL.
             [Router_1] acl 3000
             [Router_1-acl-adv-3000] rule 10 deny ip source 10.1.1.0 0.0.0.255 destination 3.1.1.0 0.0.0.255

The IPSec service becomes available after the modification.
Root Cause
If both IPSec and NAT services are configured on an AR interface, the device performs NAT preferentially when forwarding packets. IPSec is performed only for packets that do not match the NAT ACL. The configuration of Router_1 shows that NAT ACL 3000 and IPSec ACL 3101 are defined for traffic with the same private source IP address. Therefore, IPSec flows match only NAT ACL 3000. 
Suggestions
When both IPSec and NAT services are configured on an AR, determine whether to perform NAT for the data flow that needs to be encapsulated using IPSec.
  • If so, change the source IP address in the corresponding ACL rule to the translated IP address.
  • If not, ensure that the source IP address in the corresponding ACL rule is the original IP address before NAT. In addition, configure the deny action for the data flow that needs to pass the IPSec tunnel.

END