Bayt.com

Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What is the exact nat traversal technique used to overcome ipsec end-to-end connectivity problem due to nating?

NAT VPN Juniper Network Security IPSec
user-image
Question added by Fawaz Mohammed , Support and Systems Engineer , eset middle east
Date Posted: 2013/10/06
Upvote (1) Views (7) Followers (0) Answers (2) Report Question
Write an Answer
Register now or log in to answer.
Jaishankar Swaminathan
by Jaishankar Swaminathan , Data Analytics & Information Management Tutor , UQ Business School

Hi Fawaz,

 

                Nat Traversal is required when you have a NAT Device in a Client to Site VPN kind of setup. Assuming that your desktop is a Intel system and The VPN Server is your Customer's Firewall. There is a NAT Device which acts as a Internet Gateway for all the machines in your LAN. 

 

The need for NAT Traversal is, due to AH and ESP Protocols running on the end user desktop, the Firewall will not know how to PAT or NAT These packets, 

 

NAT Traversal performs two tasks:

 

Detects if both ends support NAT-T 

Detects NAT devices along the transmission path (NAT-Discovery)

 

Step one occurs in ISAKMP Main Mode messages one and two.  If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four.  THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists.  

 

If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages five and six, at which point all ISAKMP packets change from UDP port500 to UDP port4500.  NAT-T encapsulates the Quick Mode (IPsec Phase2) exchange inside UDP4500 as well.  After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port4500 as well, thus providing a port to be used in the PAT device for translation. 

 

To visualize how this works and how the IP packet is encapsulated:

Clear text packet will be encrypted/encapsulated inside an ESP packet

ESP packet will be encapsulated inside a UDP/4500 packet.

 

NAT-T  encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as4500.  After this encapsulation there is enough information for the PAT database binding to build successfully.  Now ESP packets can be translated through a PAT device.

 

When a packet with source and destination port of4500 is sent through a PAT device (from inside to outside), the PAT device will change the source port from4500 to a random high port, while keeping the destination port of4500. When a different NAT-T session passes through the PAT device, it will change the source port from4500 to a different random high port, and so on. This way each local host has a unique database entry in the PAT devices mapping its RFC1918 ip address/port4500 to the public ip address/high-port.

Zubair Ahmed
by Zubair Ahmed , Consultant , Fortinet / Hillstone Networks / Forcepoint / RSA➢ Protech Solutions

Dear Fawaz,

If you are trying to say that, you try to establish IpSec tunnel its not working, packets will be rejected. This is because both routers have NAT rules that is changing source address after packet is encrypted. Remote router reiceves encrypted packet but is unable to decrypt it because source address do not match. Right?

To fix this you need to set up NAT bypass rule.

Write Your Answer
More Questions Like This

Do you need help in adding the right keywords to your CV? Let our CV writing experts help you.

Get Help