Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

...

Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

1st/2nd packet

in the 3rd and 4th packet


payload: NAT-Discovery


Compare the NAT-D ( IP@ + port)

with the packet received

If both ends calculate those hashes and get same result, they know there is no NAT between.  
If the hashes do not match, somebody has translated the address or port.


NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

...