>it will most likely send the IP address assigned to interface we have crypto map on. Therefore NAT-T I think is doing its job. *On a Test VPN Tunnel Setup By HeadOffice where they set it to Respond Only and therefore did not fix the Branch End Public IP the IPSECVPN worked fine behind the router. *I ran crypto isakmp nat-traversal 20 just in case but no joy *As far as I am aware NAT-T is enabled of ASA unless you disable it. > Are you sure you have nat-t enabled on ASA If ASA is set to send identity as IP address it will most likely send the IP address assigned to interface we have crypto map on.Īre you sure you have nat-t enabled on ASA? The only problem I could see if when IKE peers exchange MM5 and MM6 messages. The problem is that the other side might not recognize properly some VID?Īnyway if NAT is detected we should start using NAT-T and again should not be problem from Cisco's side. Thereafter, NAT existence along the network path can be determined". During Main Mode (MM) 1 and MM 2 of IKE phase 1, the remote peer sends a vendor ID string payload to its peer to indicate that this version supports NAT traversal.
To detect NAT support, you should exchange the vendor identification (ID) string with the remote peer. "During Internet Key Exchange (IKE) phase 1 negotiation, two types of NAT detection occur before IKE Quick Mode begins-NAT support and NAT existence along the network path. Would configure mode commands/options be the correct fix here and if so how would I use it?ĭuring mainmode messages 1-4 we don't exchange IP address.
I assume I have to do something similar on the ASA5505 unit but am lost as to exactly what and where I use to have a similar problem on my Billion Router but solved it by Setting Local ID to IP Address 81.112.208.125 When I setup a IPSEC VPN it connects first time with no problems. I can set the outside interface with the IP of 81.112.208.125 Then my setup works fine as there is no nat The problem as I can identify is to do with DHCP / NAT at my end. I cannot use ezvpn because the HeadOffice Side is not in my control and is also not cisco (Astaro)