IPsec over NAT-T not working properly
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IPsec over NAT-T not working properly
Region : UnitedStates
Model : TL-ER604W
Hardware Version : V1
Firmware Version : 1.1.0 Build 20141031 Rel.32628s
ISP : Comcast
So I actually have a few questions.
So my main router that I have 19 different locations connecting to is a Cisco ASA 5510. I have the TL-WE604W's at each of the 19 different locations.
When I establish my IPSEC connection for the first time everything connects fine. But, after the SA lifetime period runs out (8 hrs) and it goes to re-establish (re-key) a connection I get an error from my ASA router stating:
Duplicate Phase 1 packet detected. Retransmitting last Packet
P1 Retransmit msg dispatched to AM FSM
Received an un-encrypted INVLID-PAYLOAD-TYPE notify message, dropping
Information Exchange processing failed
QM FSM error (P2 struct &0xacd20368, mess id 0x443b605d)!
Removing peer from correlator table failed, no match!
Sessionis being torn down. Reason: Lost Service
So, I looked these errors up and everyone was pointing to IKE pre-shared key mismatch (which would be understandable if it wouldn't connect when establishing the connection for the first time, but it does connect the first time no problem).
So, now I did some more research and found the following on Cisco's website:
So now it makes sense that on my ASA I am getting errors about mismatched pre-shared keys and why it connects the first time fine, but does not connect any subsequent time.
Now my Questions:
Do I need to have IPSEC over NAT-T enabled or i.e. are there security risks involved if I don't have it enabled?
Is there a setting on the TP-LINK that I can set to enable NAT-T? (Note: I know it's now the same thing, but i turned on DPD just for kicks and that didn't help anything)
Is there a setting on the TP-LINK that I can set it to switch my Identity from using an IP address to using a hostname or KeyID?
- Thanks in advance
Q
Model : TL-ER604W
Hardware Version : V1
Firmware Version : 1.1.0 Build 20141031 Rel.32628s
ISP : Comcast
So I actually have a few questions.
So my main router that I have 19 different locations connecting to is a Cisco ASA 5510. I have the TL-WE604W's at each of the 19 different locations.
When I establish my IPSEC connection for the first time everything connects fine. But, after the SA lifetime period runs out (8 hrs) and it goes to re-establish (re-key) a connection I get an error from my ASA router stating:
Duplicate Phase 1 packet detected. Retransmitting last Packet
P1 Retransmit msg dispatched to AM FSM
Received an un-encrypted INVLID-PAYLOAD-TYPE notify message, dropping
Information Exchange processing failed
QM FSM error (P2 struct &0xacd20368, mess id 0x443b605d)!
Removing peer from correlator table failed, no match!
Sessionis being torn down. Reason: Lost Service
So, I looked these errors up and everyone was pointing to IKE pre-shared key mismatch (which would be understandable if it wouldn't connect when establishing the connection for the first time, but it does connect the first time no problem).
So, now I did some more research and found the following on Cisco's website:
Restrictions for IPsec NAT Transparency
Although this feature addresses many incompatibilities between NAT and IPsec, the following problems still exist:Internet Key Exchange (IKE) IP Address and NAT
This incompatibility applies only when IP addresses are used as a search key to find a preshared key. Modification of the IP source or destination addresses by NAT or reverse NAT results in a mismatch between the IP address and the preshared key.So now it makes sense that on my ASA I am getting errors about mismatched pre-shared keys and why it connects the first time fine, but does not connect any subsequent time.
Now my Questions:
Do I need to have IPSEC over NAT-T enabled or i.e. are there security risks involved if I don't have it enabled?
Is there a setting on the TP-LINK that I can set to enable NAT-T? (Note: I know it's now the same thing, but i turned on DPD just for kicks and that didn't help anything)
Is there a setting on the TP-LINK that I can set it to switch my Identity from using an IP address to using a hostname or KeyID?
- Thanks in advance
Q
