Versions Compared

Old Version 17

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

...

Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947





1st/2nd packet

in the 3rd and 4th packet


payload: NAT-Discovery


Compare the NAT-D ( IP@ + port)

with the packet received

If both ends calculate those hashes and get same result, they know there is no NAT between.
If the hashes do not match, somebody has translated the address or port.

Phase 2 or Quick Mode

To perform incremental TCP checksum updates, both peers may need to
   know the original IP addresses used by their peers when those peers
   constructed the packet


Code Block
titleAO-
 Example 2:

         Initiator  ------> NAT1  ---------> NAT2  -------> Responder
                  ^             ^           ^              ^
                Iaddr        Nat1Pub     Nat2Pub          (Raddr)

         Initiator <------  NAT1 <---------  NAT2 <-------  Responder
                  ^             ^           ^              ^
               (Iaddr)        Nat1Pub     Nat2Pub         Raddr

   Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic
   to that address to Responder.

   Initiator:
                     NAT-OAi = Iaddr
                     NAT-OAr = Nat2Pub ( responder of the IPsec public IP address )

   Responder:
                     NAT-OAi = Nat1Pub ( initiator of the IPsec public IP address )
                     NAT-OAr = Raddr



NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

...