Environment
Novell BorderManager 3.8
Novell BorderManager 3.9
Cisco IOS 12.4 (13r) T
Situation
A S2S between BorderManager and Cisco router was working fine. Then
the Cisco device was replaced with the 2821 model. After that, the
VPN tunnel could not be established.
The new Cisco 2821 model was configured exactly as the old one but with no avail.
The IKE.LOG file in BorderManager showed an error:
29-5-2007 10:41:51 am Received (QM) proxy ID 192.168.xx.xx 255.255.255.0 - 1xx.xx.xx.xx 255.255.255.0
29-5-2007 10:41:51 am Warn :Proposal mismatch Encapsulation mode mismatch (tunnel-1 ,UDPtunnel -61443) mine : 1 his : 61443 " dst : 1xx.xx.xx.xx src : xx.xx.xx.xx cookies[mine :his] 737AD67C821577E2 : C0BEED2500000010
29-5-2007 10:41:51 am sending notify message type: 14 to 1xx.xx.xx.xx
29-5-2007 10:41:51 am ***Send Unacknowledge Informational message to 1xx.xx.xx.xx
The error is referring to the negotiation of the NAT-T setting.
The new Cisco 2821 model was configured exactly as the old one but with no avail.
The IKE.LOG file in BorderManager showed an error:
29-5-2007 10:41:51 am Received (QM) proxy ID 192.168.xx.xx 255.255.255.0 - 1xx.xx.xx.xx 255.255.255.0
29-5-2007 10:41:51 am Warn :Proposal mismatch Encapsulation mode mismatch (tunnel-1 ,UDPtunnel -61443) mine : 1 his : 61443 " dst : 1xx.xx.xx.xx src : xx.xx.xx.xx cookies[mine :his] 737AD67C821577E2 : C0BEED2500000010
29-5-2007 10:41:51 am sending notify message type: 14 to 1xx.xx.xx.xx
29-5-2007 10:41:51 am ***Send Unacknowledge Informational message to 1xx.xx.xx.xx
The error is referring to the negotiation of the NAT-T setting.
Resolution
There is an issue with the Cisco IOS interpreting the type 20
message id ( Nat-T or NAT-Transparency) setting.
Nat traversal can actually have 3 different settings on the Cisco device:-
1) AUTOMATIC.........negotiated by the link
2) ON....................always on not negotiated and any negotiation ignored
3)OFF....................always off negotiation ignored
configuring it with option 3, OFF, for the link to BorderManager allowed the tunnel to come up.
Nat traversal can actually have 3 different settings on the Cisco device:-
1) AUTOMATIC.........negotiated by the link
2) ON....................always on not negotiated and any negotiation ignored
3)OFF....................always off negotiation ignored
configuring it with option 3, OFF, for the link to BorderManager allowed the tunnel to come up.
Additional Information
It looks like Cisco acknowledge this issue previously and it looks
like it has been fixed but it is not clear from Cisco article if
the fix is only for Cisco devices or also for another IPSEc
connection.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_field_notice09186a008027a221.shtml
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_field_notice09186a008027a221.shtml