Versions Compared

Old Version 17

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version 18

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

...

Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947





1st/2nd packet

in the 3rd and 4th packet


payload: NAT-Discovery


Compare the NAT-D ( IP@ + port)

with the packet received

2x NAT-D ( 1st= remote IP@/port and 2nd= local IP@/port)
>> solve the questions: direction and existance of NAT .
If both ends calculate those hashes and get same result, they know there is no NAT between.  
If the hashes do not match, somebody has translated the address or port.

...

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

...