NAT Traversal
- Jean-luc KRIKER
Old one: https://www.juniper.net/documentation/en_US/junose15.1/topics/concept/nat-traversal-overview.html
IPsec VPN: https://www.juniper.net/documentation/en_US/day-one-books/DO_IPsec_VPNs_2018.pdf
| Payload encapsulation | |
|---|---|
| |
| Signaling | in ISAKMP ( IKE phase1 ) |
| 1st/2nd packet |
|
in the 3rd and 4th packet | payload: NAT-Discovery
|
| Phase 2 or Quick Mode | |
To perform incremental TCP checksum updates, both peers may need to know the original IP addresses used by their peers when those peers constructed the packet | |
AO- Example 2:
Initiator ------> NAT1 ---------> NAT2 -------> Responder
^ ^ ^ ^
Iaddr Nat1Pub Nat2Pub (Raddr)
Initiator <------ NAT1 <--------- NAT2 <------- Responder
^ ^ ^ ^
(Iaddr) Nat1Pub Nat2Pub Raddr
Here, NAT2 "publishes" Nat2Pub for Responder and forwards all traffic
to that address to Responder.
Initiator:
NAT-OAi = Iaddr
NAT-OAr = Nat2Pub ( responder of the IPsec public IP address )
Responder:
NAT-OAi = Nat1Pub ( initiator of the IPsec public IP address )
NAT-OAr = Raddr
|
NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.
all the IPSEC tunnerl to traverse the NATing equipement
Challenge: Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets
Solution: ESP over UDP/4500
After detecting one or more NAT devices ( by the firwall) along the datapath during Phase 1 exchanges,
>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation.
edit security ike gateway gateway-name
[edit security ike gateway IKE-GW1]
root@srx3200# set no-nat-traversal