Crypto ipsec nat transparency udp encapsulation


The IPSEC NAT Traversal feature introduces IPSEC visitors to tour thru Network Address Translation (NAT) or Port Address Translation (PAT) tool inside the network by way of addressing many incompatibilities between NAT and IPSEC.

NAT Traversal is a UDP encapsulation which allows traffic to get the desired destination whilst a device does not have a public cope with.

IPSEC provides confidentiality, authenticity and integrity. However, trouble occurs while a NAT tool does its NAT translations, however the deal with of the source inside the IP payload does no longer healthy the choices supply deal with of the IKE packet as it’s far replaced with the aid of the choices deal with of the choices NAT tool in the course of NAT translation. Authenticity, integrity will spoil as a way to motive the packet through the far flung peer to be dropped.

NAT and IPSEC are incompatible with each other and it is able to be resolved by means of using NAT Traversal. NAT Traversal provides a UDP header which encapsulates the choices IPSEC ESP packet. New UDP packet isn’t always encrypted and is dealt with similar to a regular UDP packet the NAT device could make the desired changes and method the message which might now triumph over the choices hassle.

Related – Proxy vs NAT

NAT and IPSEC Incompatibility and Solution

This incompatibility applies most effective whilst IP addresses are used as a search key to find a pre shared key. Modification of the choices IP supply or vacation spot addresses with the aid of NAT or opposite NAT consequences in a mismatch between the IP address and the choices pre shared key.

Because the payload is integrity protected, any IP deal with enclosed inside IPSEC packets can’t be translated with the aid of NAT because embedded IP deal with is used by FTP, SNMP, LDAP and SIP.

UDP encapsulation addresses incompatibility issues among IPSEC and NAT.

To prevent this situation UDP encapsulation is used to cover the choices ESP packet behind the choices UDP header. PAT treats the ESP packet as a UDP packet and the ESP packet as a everyday UDP packet.

The checksum fee is constantly zero. This cost prevents an intermediate tool from validating the choices checksum end result towards the choices packet checksum. Resolving the choices TCP UDP checksum issue by way of NAT modifications the IP source and destination addresses.

PAT changes the choices port within the new UDP header for translation and leaves the choices authentic payload as it is. In phase 1 setup, 3 ports have to be open on the choices tool that is doing NAT for VPN –

After this, the statistics is sent the usage of IPSEC over UDP that is correctly NAT Traversal. The receiving peer first De-capsulate the IPSEC packet from its UDP packet and then methods the site visitors as a preferred IPSEC packet.

Benefits of NAT Traversal

Before the NAT traversal, a standard IPSEC digital personal community (VPN) tunnel would now not work if there have been one or greater NAT or PAT tool within the route of the choices IPSEC packet. NAT IPSEC feature conscious permits far flung get entry to customers to construct IPSEC tunnels to home gateways. The IPSEC NAT Transparency characteristic permits IPSEC site visitors to travel thru NAT or PAT tool within the network by encapsulating IPSEC packets in a User Datagram Protocol (UDP) wrapper, which allows the choices packets to travel throughout NAT configured gadgets.

NAT Traversal is a characteristic this is vehicle detected and enabled via default. There are not any configuration steps. If each devices are NAT-T succesful, NAT Traversal is vehicle detected and auto negotiated.

To disable NAT traversal, following command is used –

#no crypto IPSEC NAT-transparency udp-encapsulation

NAT-T is a technique of assigning Public IP address and encountering problem while facts blanketed with the aid of IPsec passes thru a NAT tool and adjustments to the choices IP cope with motive IKE to discard packets. During the choices Phase 1 exchanges, NAT-Traversal adds a UDP encapsulation to IPsec packets so they’re not discarded after address translation. NAT-T encapsulates both IKE and ESP visitors within UDP port 4500 used as both the supply and vacation spot port.

I am Rashmi Bhardwaj. I am right here to share my expertise and enjoy within the subject of networking with the aim being – “The extra you percentage, the choices more you study.”

I am a biotechnologist by qualification and a Network Enthusiast by using hobby. I advanced interest in networking being inside the business enterprise of a passionate Network Professional, my husband.

I am a sturdy believer of the choices reality that “gaining knowledge of is a steady method of coming across yourself.”