No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Fault AR1200 unidirectional traffic over ipsec tunnel

Publication Date:  2013-10-27  |   Views:  3  |   Downloads:  0  |   Author:  b00745015  |   Document ID:  EKB1000035524

Contents

Issue Description

device that sits behind a ar router using nat, the device does a ipsec vpn. We can see the packets go out ok, but the return traffic never makes it back to the device.

third party router ----------ipsec ---AR with nat enable------------ipsec -- third party router
--------------------> OK
<------------------- NOT OK

Alarm Information

none.

Handling Process

when having a router between ipsec peers we need to enable nat traversal feature. Otherwise after nat, ip address might be different for return path.

Packets send through the tunnel are encapsulated with UDP port 4500 because of NAT traversal. 

<R6>dis nat session all
  NAT Session Table Information:

     Protocol          : UDP(17)
     SrcAddr  Port Vpn : 100.3.6.1       4500                                
     DestAddr Port Vpn : 100.6.9.2       4500                                

     NAT-Info
       New SrcAddr     : 100.6.9.1     
       New SrcPort     : 10245
       New DestAddr    : ----
       New DestPort    : ----

Root Cause

checking nat session i saw the fallowing port number used for estableshing the tunnel was 500 - default ike well know port.

dis nat  session all
  NAT Session Table Information:

     Protocol          : UDP(17)
     SrcAddr  Port Vpn : 10.1.1.1    500   zzzzz:1                        
     DestAddr Port Vpn : 1.12.3.14 500   zzzzzz:1      
                  
     NAT-Info
       New SrcAddr     : 3.1.25.2  
       New SrcPort     : 10413
       New DestAddr    : ----
       New DestPort    : ----

Suggestions

none