Issue Description
the AR3260 dynamically obtains an IP address through PPPoE to access the Internet and establishes ipsec vpn with HQ. However, traffic fails to be forwarded.
ipsec sa indicates that the tunnel is set up successfully but services are unavailable.
Handling Process
1. Run the display ipsec sa command on the AR3260 to check tunnel information. The command output is as follows:
====================================================
===============display ipsec sa===============
====================================================
===============================
Interface: Dialer1
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "vpn"
Sequence number : 1
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 46
Encapsulation mode: Tunnel
Tunnel local : x.x.x.x (Cutomer ip)
Tunnel remote : x.x.x.x (Cutomer ip)
Flow source : 10.20.7.0/255.255.255.0 0/0
Flow destination : 10.0.0.0/255.255.0.0 0/0
Qos pre-classify : Disable
Qos group : -
[Outbound ESP SAs]
SPI: 877040047 (0x344691af)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887415920/1899
Outpacket count : 346 #we can see there are packets sent out
Outpacket encap count : 346
Outpacket drop count : 0
Max sent sequence-number: 346
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 2407331406 (0x8f7cf64e)
Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1899
Inpacket count : 0 #but there isn't packet received
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
2. Check the security policy and configuration of the firewall at HQ
The service security policy and encrypted stream are correctly configured. Packets are forwarded, but the specified service packet is not captured.
3. Check the AR ike configuration found that didn't configure nat traversal
Root Cause
In the ipsec vpn, the TCP port in the esp packet has been encrypted and cannot be modified. For the NAT that translates the port, ESP cannot be supported. The IP address dynamically obtained by PPPoE is a private IP address. Port-based NAT is configured at the egress. Therefore, packets cannot be forwarded and the firewall cannot receive data.
Solution
Add nat traversal to ike peer that means enable NAT traversal for ipsec vpn.
ike xx
nat traversal