1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN between two WRV200's both behind NAT

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by thelinksysuser, May 11, 2007.

  1. thelinksysuser

    thelinksysuser LI Guru Member

    I ve a question about a configuration.

    I ve 2 wrv200's both are behind a NAT router and the VPN tunnel isn't getting to work.

    My questions are: is it possible to get this work, and which steps are important to take?

    The log file shows. (x.x.x.x is the place for the public ip)


    020 [Fri 12:24:42] "TunnelA" #1: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
    021 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    022 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [Dead Peer Detection]
    023 [Fri 12:24:42] "TunnelA" #1: received Vendor ID payload [RFC 3947] method set to=109
    024 [Fri 12:24:42] "TunnelA" #1: enabling possible NAT-traversal with method 3
    025 [Fri 12:24:42] "TunnelA" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    026 [Fri 12:24:43] "TunnelA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    027 [Fri 12:24:43] "TunnelA" #1: I did not send a certificate because I do not have one.
    028 [Fri 12:24:43] "TunnelA" #1: NAT-Traversal: Result using 3: both are NATed
    029 [Fri 12:24:43] "TunnelA" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    030 [Fri 12:24:43] "TunnelA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    031 [Fri 12:24:43] "TunnelA" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.254'
    032 [Fri 12:24:43] "TunnelA" #1: we require peer to have ID 'X.X.X.X', but peer declares '192.168.1.254'
    033 [Fri 12:24:43] "TunnelA" #1: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.X:4500
    034 [Fri 12:24:43] "TunnelA" #1: received 1 malformed payload notifies
     
  2. ifican

    ifican Network Guru Member

    Well i have never done it from behind 2 nat devices but i have from behind one. You need to have nat-t enabled on both, the logs from this device shows that it is make sure it is as well on the other side. The issue at the moment though is the peer ip is incorrect.
     
  3. thelinksysuser

    thelinksysuser LI Guru Member

    Thanks for your answer, but if both have NAT-T enabled within the options, who can initiate the Tunnel, because none of the 2 routers is known with the Public ip of the otherside. Please let me know what to do.
     
  4. Sfor

    Sfor Network Guru Member

    Well. It should be possible to establish an IPSec tunnel, if one of the WRV200 is set as DMZ host. But, this requires the ability to change settings in one of the NAT routers, the WRV200 are behind.
     

Share This Page