This lab example is a VPN endpoint behind a NAT enabled device. IOS15 sits behind R3 which is NAT enabled. To be clear, IOS15 is initiating the traffic to SW22, so the NAT overload kicks in with NAT-T UDP transparency to allow the connection.
IOS15
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set IKEV1_TSET esp-3des
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 109.0.0.9
set transform-set IKEV1_TSET
match address VPN_TO_IOS15
crypto map CMAP
!
ip access-list extended VPN_TO_SW22
permit ip 10.1.15.0 0.0.0.255 10.19.22.0 0.0.0.255
!
interface g0/0
crypto map CMAP
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set IKEV1_TSET esp-3des
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
set transform-set IKEV1_TSET
match address VPN_TO_IOS15
crypto map CMAP
!
ip access-list extended VPN_TO_IOS15
permit ip 10.19.22.0 0.0.0.255 10.1.15.0 0.0.0.255
!
interface g3
crypto map CMAP
IOSv15#ping 10.19.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 39/49/69 ms
IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
109.0.0.9 10.1.15.15 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
IOSv15#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 10.1.15.15
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
current_peer 109.0.0.9 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9F2A18D2(2670336210)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xA0D0CEB7(2698038967)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4272489/3413)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9F2A18D2(2670336210)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4272489/3413)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:1649 10.1.14.14:1649 10.3.11.3:1649 10.3.11.3:1649
udp 103.0.0.3:500 10.1.15.15:500 109.0.0.9:500 109.0.0.9:500
udp 103.0.0.3:4500 10.1.15.15:4500 109.0.0.9:4500 109.0.0.9:4500
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
109.0.0.9 103.0.0.3 QM_IDLE 1210 ACTIVE
IPv6 Crypto ISAKMP SA
CSR9#show cryp ipsec sa
interface: GigabitEthernet3
Crypto map tag: CMAP, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
current_peer 103.0.0.3 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xA0D0CEB7(2698038967)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9F2A18D2(2670336210)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2473, flow_id: CSR:473, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607999/2829)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA0D0CEB7(2698038967)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2474, flow_id: CSR:474, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607999/2829)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOS15
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set IKEV1_TSET esp-3des
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 109.0.0.9
set transform-set IKEV1_TSET
match address VPN_TO_IOS15
crypto map CMAP
!
ip access-list extended VPN_TO_SW22
permit ip 10.1.15.0 0.0.0.255 10.19.22.0 0.0.0.255
!
interface g0/0
crypto map CMAP
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set IKEV1_TSET esp-3des
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 103.0.0.3
set transform-set IKEV1_TSET
match address VPN_TO_IOS15
crypto map CMAP
!
ip access-list extended VPN_TO_IOS15
permit ip 10.19.22.0 0.0.0.255 10.1.15.0 0.0.0.255
!
interface g3
crypto map CMAP
IOSv15#ping 10.19.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.22.22, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 39/49/69 ms
IOSv15#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
109.0.0.9 10.1.15.15 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
IOSv15#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 10.1.15.15
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
current_peer 109.0.0.9 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.15.15, remote crypto endpt.: 109.0.0.9
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9F2A18D2(2670336210)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xA0D0CEB7(2698038967)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4272489/3413)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9F2A18D2(2670336210)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4272489/3413)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:1649 10.1.14.14:1649 10.3.11.3:1649 10.3.11.3:1649
udp 103.0.0.3:500 10.1.15.15:500 109.0.0.9:500 109.0.0.9:500
udp 103.0.0.3:4500 10.1.15.15:4500 109.0.0.9:4500 109.0.0.9:4500
CSR9#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
109.0.0.9 103.0.0.3 QM_IDLE 1210 ACTIVE
IPv6 Crypto ISAKMP SA
CSR9#show cryp ipsec sa
interface: GigabitEthernet3
Crypto map tag: CMAP, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (10.19.22.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)
current_peer 103.0.0.3 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xA0D0CEB7(2698038967)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9F2A18D2(2670336210)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2473, flow_id: CSR:473, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607999/2829)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA0D0CEB7(2698038967)
transform: esp-3des ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2474, flow_id: CSR:474, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607999/2829)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: