Versions Compared

Old Version 11

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version 12

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

...

IPsec VPN:  https://www.juniper.net/documentation/en_US/day-one-books/DO_IPsec_VPNs_2018.pdf


Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947
1st/2nd (3rd) packet

in the 4th packet

( could be the 3rd ??? )

...

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

...