SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 220 used as a Firewall for 1 to 1 NAT with DMVPN IPSEC running thought it.

‎07-30-2014 02:35 AM

Hi,

 

I'm running a DMVPN solustion with IPSEC between cisco routes and have a SRX at the headend to NAT the public IP address to a private one. All the spokes as using cisco routes on public IP address. The DMVPN works fine when the IPSEC is not appliyed. But once I apply the IPSEC policy I get NAT-T issues and can't get passed phase 1 of IKE. if I put the cisco command "no crypto ipsec nat-transparency udp-encaps" on to the router I don't get the NAT-T issue in the debug and phase 1 completes, but wont complete phase 2 and i'm stuck in IQ_IDLE. 

 

Just wondering if anyone has had this problem before when using a SRX as a straight firewall? Am I missing something in the config? I have opened up UDP port 4500 which is the NAT-T port along with 51,50 and 500 but this still isn't working.

 

Has anyone got any ideas?

 

Cheers

 

Steve

1 REPLY 1
SRX Services Gateway

Re: SRX 220 used as a Firewall for 1 to 1 NAT with DMVPN IPSEC running thought it.

‎08-01-2014 05:08 AM

Hello Steve,

 

On srx for nat pass through you have some thing called nat-ike-esp alg.

By default it is turned on.

For your traffic to work please turn on this alg. by th e following :

[edit]
root# set security alg ike-esp-nat enable

 

Rgerads,

c_r

Please Mark My Solution Accepted if
it Helped, Kudos are Appreciated too