4 Replies Latest reply on Jan 6, 2010 8:53 AM by rcamm

    IPSec NAT (non-)Traversal Configuration

      I'm trying to set up an IPSec tunnel between an office in the London, UK (SG560) and one in Adelaide, Australia (SG310) both running 4.0.5. There's already an IPSec tunnel running successfully between London and an office in Newcastle.

      Both ends have static IP addesses, the UK end has small a range with a public IP assigned to the SG. The Australia end has a single IP which is assigned to the router, which is performing NAT.



      London LAN 192.168.xx.0 -- SG560 - ------ Internet ------ (External IP of Router) - (LAN IP of Router) -- (WAN IP of SG310) -- Adelaide LAN 192.168.yy.0


      (Neither xx nor yy is 1 and obviously the real addresses aren't, etc.!)


      At the London end, for the tunnel settings I'm using aggressive mode and set both addresses as Static IP. Local endpoint set to defaults, with no Endpoint ID)

      Remote endpoint, as the remote party IP address and I've tried with and without setting as the Endpoint ID

      For the Phase 2 settings, I have the local network set, with the remote network as Remote Endpoint


      At the Adelaide end, aggressive mode and set both addresses as Static IP again. Endpoint ID set with/without

      Remote endpoint, as the remote party IP address, no Endpoint ID

      For the Phase 2 settings, local network as Local Endpoint (Masqueraded access) (also tried with local network details), remote network 192.168.x.0/24


      At the moment from the London end I'm seeing:

      NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed (which is new, it was previously only detecting the peer as NATed, which would seem correct)

      cannot respond to IPsec SA request because no connection is known for 192.168.x.0/24===[+S=C]...[,+S=C]===

      I get the feeling it's something really simple.
      I've read KB62315 and KB62281 (as well as trying a few variations) but they both seem to provide bits but not all of the answer and certainly not a worked example, which is always really helpful...


      All clues gratefully received! (While I wait for the Australia office to wake up and tell me if they registered the UTM at that and and if so, with what details...)