I'm trying to configure an IPSec tunnel between a Cisco router (ISR) and AWS (Customer Gateway). The connection to the ISP here is a PPPoE connection with a static private IP (e.g. 10.100.1.1) which is mapped to from a public IP, (e.g. 160.1.1.1 ). There is no filtering on the public IP, all traffic is translated to the private.
I am now trying to configure the IPSec tunnel, but am not able to get it up. The recommended configuration provided to configure a tunnel if I had a public IP is as follows:
crypto keyring preshared-key-public
local-address 160.1.1.1
pre-shared-key address 54.1.1.1 key XXX ! AWS IP
crypto isakmp profile isakmp-vpn-public
keyring preshared-key-public
match identity address 54.1.1.1 255.255.255.255
local-address 160.1.1.1
interface Tunnel1
ip address 169.1.1.1 255.255.255.252
tunnel source 160.1.1.1
tunnel destination 54.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile pfs-group2-sometransform
This is the config I am using:
crypto keyring preshared-key-private
local-address 10.100.1.1
pre-shared-key address 54.1.1.1 key XXX
crypto isakmp profile isakmp-vpn-private
keyring preshared-key-private
match identity address 54.1.1.1 255.255.255.255
local-address 10.100.1.1
interface Tunnel1
tunnel source 10.100.1.1
! everything else is the same
So I have modified the 3 occurrences of public IPs with the private IP (based on http://blog.brianbeach.com/2015/05/configuring-aws-customer-gateway-behind.html), but the tunnel does not come up:
*Dec 8 : ISAKMP: Error: payload length of VENDOR 0 < 4
*Dec 8 : %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 54.1.1.1 failed its sanity check or is malformed
*Dec 8 : ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED
*Dec 8 : ISAKMP:(0:0:N/A:0): sending packet to 54.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
I initially thought that the 0 < 4 error might be related to this bug: https://tools.cisco.com/quickview/bug/CSCee74283 but firmware is a fixed version:
Cisco IOS Software, 2801 Software, Version 12.4(25c), RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
I can confirm that the preshared secret is configured correctly, I downloaded the configuration from AWS and copied it into the Cisco config. Is the setup correct? Any ideas as to what might be wrong? I am not sure if I am meant to be using the private IP in all 3 locations (keyring, isakmp profile and interface), or should 1 of them reference the public IP (I've tried using it in keyring and isakmp profile but it didn't work either.
Before providing a public / NAT / private setup, the ISP used to provide an L2TP tunnel where the public static IP was on the router, and that worked fine. However the L2TP tunnel is no longer available (but this router / software worked with AWS in that environment)
Best Answer
It turns out that having nat traversal enabled was causing the issue.
And the tunnel was up.