Common Problems and Resolutions
There are several common issues that you might encounter with the tunnel build-up process or with sending data across the tunnel. These have been discussed in the preceding relevant troubleshooting sections. This section reiterates all the following common problems in more detail and provides solutions.
NAT with IPsec issues
Firewall and IPsec
Maximum Transmission Unit (MTU) issues
Split tunneling issues
NAT with IPsec Issues
NAT can interact or interfere with IPsec in two ways, which are discussed in detail in this section.
NAT in the tunnel End Point
If you have NAT configured on the tunnel end points (for example, on PIX-A or PIX-B or both), for IPsec to work properly, you must configure a NAT exemption. You would do so under the following circumstances:
If the nat-control command is enabled If the nat-control command is on, you must configure NAT; otherwise, PIX will not pass traffic. Under this configuration setup, you need to configure NAT because the traffic requires translation (usually Internet-bound traffic), and create a NAT exemption for the VPN traffic.
If the nat-control command is disabled, but the PIX is configured with NAT If the nat-control command is turned off, but you have NAT configured, which translates the source network of the VPN traffic, you need to create the NAT exemption to bypass the NAT for the VPN traffic.
If the nat-control is disabled, and NAT is not configured With this configuration setup, you do not need any configuration to bypass the NAT for the VPN traffic.
You can configure NAT exemption for both LAN-to-LAN and Remote Access VPN traffic. See the "Troubleshooting LAN-to-LAN" and "Troubleshooting Remote Access VPN" for configuration details.
In some special cases, you also may need to perform the translation for the VPN traffic. Examine an example that illustrates this point. Assume that the PIX-A in Figure 7-1 has a private network 192.168.1.0/24 network, and PIX-B has the same private network. If these private networks need to communicate with each other through VPN tunnel, you must translate either side to avoid the duplicate network problem. Assume that 192.168.1.0/24 on PIX-B is translated to 192.168.2.0/24 by static command. For a successful tunnel build-up, you must include the translated IP address in the interesting traffic ACL for crypto map.
NAT Device In the Middle of Tunnel End Points
If you have a NAT device between the IPsec peers (for both LAN-to-LAN) and remote access, regular IPsec may not work. For this circumstance, a few work-arounds are discussed in this section.
IPsec over NAT Transparency (NAT-T)
If you have a NAT device between a VPN client and a PIX firewall for Remote Access VPN, or between two PIXen in the case of a LAN-to-LAN VPN, you can configure NAT Transparency (NAT-T). NAT-T encapsulates IPsec traffic in UDP using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. NAT-T is disabled by default on the PIX firewall. When you enable NAT-T, PIX Firewall automatically opens port 4500 on all IPsec-enabled interfaces. You can enable IPsec over NAT-T globally on the PIX firewall by using the command isakmp nat-traversal natkeepalive. If you want to set the keepalive value to one hour, you can use the following command:
PIX-A(config)# isakmp nat-traversal 3600
The default keepalive is 20 seconds. This keepalive is used to prevent the NAT device translation from timing out.
To configure NAT transparency, open the VPN Client by going to Start > Programs > Cisco Systems VPN Client > VPN Client. Select the profile, and click on Modify. Click on Transport and check the Enable Transparent Tunneling check box. Finally, choose IPsec over UDP(NAT/PAT) radio button.
IPsec over TCP
IPsec over TCP encapsulates both the ISAKMP and IPsec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default. It is important to note that IPsec over TCP does not work with proxy-based firewalls. This feature is available only for Remote Access VPN, not for LAN-to-LAN tunnel. The default port is TCP/10000.
To configure IPsec over TCP, you need to configure both the PIX and the VPN client software. On the PIX firewall, use the following command to turn on IPsec over TCP on the port you choose. Use the default port. You can leave the port off.
isakmp ipsec-over-tcp [port port 1...port0]
The following example shows how to set up IPsec over TCP on port 425:
PIX-A(config)# isakmp ipsec-over-tcp port 425
To configure IPsec over TCP, open VPN Client by going to Start > Programs > Cisco Systems VPN Client > VPN Client. Select the profile, and click on Modify. Click on Transport and check the Enable Transparent Tunneling check box. Finally, choose IPsec over TCP radio button, and define the port number you desire.