I have a MT with two interfaces, public which faces the public Internet and private which faces a private wireless network. I NAT private addresses on the wireless side to a single public address on the public side. I have a wireless customer who says he cannot get his VPN service to work (I do not yet know what type of VPN it is). He is trying to run it from his machine to a VPN server on the Internet. In my MT logs I have serveral entries like this when he tries to connect:

feb/20/2006 10:21:48 received ISAKMP packet from 212.135.38.10:500, phase 2, Quick >
feb/20/2006 10:21:48 no peer configuration found (remote unknown)
feb/20/2006 10:21:48 cannot start quick mode without phase 1 (remote unknown)

Is this because he is trying to connect from a private NATed address? Or does anyone have any other ideas why it is not working?

Many thanks.
Guy

Depends on the type of VPN she/he is trying to use, obviously some IPSec-Client. This will not work without NAT-T on the router itself, or a transparent IP-connection without NAT.

Not really a solution, sorry.

Thanks for your reply, Mag. I've read a bit about IPSec and IKE and as you say, they will not work across NAT. I'm going to try proxying a public address to this customer and see if that works.

Cheers,
Guy

No, it should work accross NAT, customer just need to have both src and dst nat configured (public address). If he is masquaraded, then it can't work.

Cheers...

Thanks, Djape. I should have said, more correctly, that I am masquerading the private addresses to the public ones.