Hello all,
I'm trying to setup an IPSEC connection on a routerboard that's behind a NAT gateway. I know this is not the ideal setup but I have no choice. The internet provider is only providing me with a 1/1 nat mapping of an external ip to an internal one.
The routerboard should initiate the IPSEC connection to a Cisco PIX that's not under my control but is being managed by a 3th party. I verified with them that NAT-T is activated and not firewalled on their side.
On the routerboard I activated NAT traversal on the IPSEC peer but it's not clear what I should fill in as SA src address on the IPSEC Policy. Should this be the internal address that's assigned to the routerboard or should I put here the external address that's being mapped 1/1 by the provider (but is not assigned to any local interface) ?
When I put the internal address as SA src address I can see the routerboard trying to setup the IPSEC connection but Phase 1 fails saying that NAT-D payload #0 doesn't match.
When I try the same setup but using an internetconnection where I have a public IP assigned to the routerboard not using NAT everything works fine.
Any help is appreciated.
VOiD