Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Problems with LAN to LAN VPN with NAT traversal

0

0

Article ID: KB5236 KB Last Updated: 24 Aug 2010Version: 3.0
Summary:

Symptoms:
NAT traversal VPN tunnel
Main mode
VPN using Preshared secret
No IKE cookie shown on the NetScreen with no NAT device in front of it
IKE phase 1 not establishing
NAT traversal VPN not working
VPN not working
Cannot get LAN to LAN VPN to work with NAT

Solution:
When using preshared secret with NAT traversal, both gateways must be configured with Aggressive mode.'  Main mode is only supported with certificates.'  Change both gateways to aggressive mode.'  The following is a sample of a successful NAT traversal Phase 1 negotiation:
From the NetScreen not NAT'd, get ike cookie:
522f/6, 172.16.10.1->172.16.20.1: PRESHR/grp2/AES/SHA, xchg(4) usr(d-1/u-1)
resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 28708 cert-expire 0
'  initiator 0, in-out 0, err cnt 0, send dir 1, cond 0
nat-traversal map:
'  sa index 0.
'  keepalive frequency 5 sec
'  nat-t udp checksum enabled
'  local pri ip' 172.16.20.1
'  local pri ike port 500
'  local pub ip 0.0.0.0
'  local pub ike port 0
'  remote pri ip' 10.1.1.1
'  remote pri ike port 500
'  remote pub ip' 172.16.10.1
'  remote pub ike port 23728
'  internal ip 0.0.0.0
'  internal port 0
'  natt proto 17
ike heartbeat' ' ' ' ' ' ' ' ' ' ' ' '  : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
172.16.10.1 is the external interface of the NAT device in front of the NetScreen.
172.16.20.1' is the untrust interface of the NetScreen (no NAT)
10.1.1.1' is the untrust interface of the NetScreen behind the NAT device

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search