It is widely used in NAT and IPSec technologies. But in essence, there is a conflict between the two.
1. From the IPsec perspective, IPSec needs to ensure data security, so it encrypts and verifies data.
2. From the perspective of NAT, IP addresses are bound to be modified to complete address translation.
IPSec provides the security of end-to-end IP communication, but there is limited support for IPSec in the NAT environment. Ah must not be able to perform Nat, this is contrary to the concept of Ah design. In a NAT environment, the ESP Protocol can only have one VPN host to establish a VPN channel, multiple machines cannot communicate with each other in a NAT environment. The IPSec requirements in the NAT environment are described in rfc3715.
NAT traversal (NAT traversal, NAT-T) is proposed to solve this problem, rfc3947, 3948 definition, rfc4306 also added the description of the NAT-T, but did not abolish rfc3947, 3948, only phase 1 and phase 2 are not differentiated. This method encapsulates the ESP protocol package into the UDP packet (Add a new IP header and UDP header out of the original ESP Protocol IP header ), it can be used in a NAT environment, so that multiple IPSec hosts can establish VPN connections in the NAT Intranet for communication.
Ah encapsulation: Check of Ah encapsulation starts from the IP header. If Nat modifies the IP header, Ah verification fails. Therefore, we conclude that ah cannot coexist with Nat. ESP encapsulation transmission mode: For Nat, the advantage of ESP encapsulation over ah is that the IP header is not included in both encryption and integrity verification. However, there are still new problems. For the ESP transmission mode, Nat cannot update the upper-layer checksum. The TCP and UDP headers contain a Checksum, which integrates the source and target IP addresses and port numbers.
When Nat changes the IP address and port number of a packet, it usually needs to update the TCP or UDP checksum. When the TCP or UDP checksum is encrypted using ESP, it cannot update this checksum. Because the address or port has been changed by Nat, the checksum of the destination fails. Although UDP checksum is optional, TCP checksum is required.
Tunnel mode of ESP encapsulation: From the encapsulation of the ESP tunnel mode, we can find that the ESP tunnel mode encrypts the entire original IP packet, A new IP header is added to the ESP header. Therefore, if Nat only changes the front IP address, it will not affect the protected part.
Therefore,
IPSec
Only use
ESP
To encapsulate data.
Nat
Coexistence.
Because integrity verification involves the IP header, Nat cannot be modified or incompatible.
The transmission mode of ESP. Because the TCP part is encrypted, Nat cannot modify the TCP checksum and is not compatible.
In the ESP tunnel mode, the original encrypted IP address cannot be changed because Nat modifies the external IP address, so that it can coexist with Nat only in this case.
Nat
Traversal
(NAT traversal
,
NAT-T)
Cisco IOS versions later than 12.2 (13) T Support NAT-T technology. Previously, Nat and IPSec could only coexist in the form of one-to-one, and the NAT-T broke this form. And the NAT-T supports the transport mode of ESP. NAT-T's basic ideas:
Encapsulate the ESP protocol package into a UDP packet (Add a new IP header and UDP header outside the original ESP Protocol IP Address Header ). So that Nat treats it like a normal UDP packet. It also supports the transmission mode of ESP. Steps 1. check whether there is a NAT device in the communication and whether the other Party supports the NAT-T
2. check whether the other side supports the NAT-T is achieved by exchanging the vendor ID load, if itself supports NAT-T, in IKE interaction to send this load, the load content is the MD5 Value of "RFC 3947, that is, the hexadecimal "4ada-c81070358455da-28f20e95452f"
Configuration method1. IPSec over TCP this method causes both Parties to use the TCP port for communication. The default port is 10000,
Only client mode is supported.. Disabled by default, enabling method: crypto ISAKMP IPSec-over-TCP is used when IPSec over UDP is used in actual environments for non-conventional VPN communication or NAT-T. 2. NAT-T this method causes both parties to eventually use UDP 4500 port communication,
Supports client and l2l. Disabled by default. Open Method: crypto ISAKMP nat-traversal 20. The default keepalives time is 20 seconds. 3. IPSec over UDP causes both parties to use UDP communication. The default port is 10000,
Only client mode is supported.. Disabled by default. Open Method configure hostname (config-group-policy) in Group Policy # IPSec-udp {enable | disable}
Hostname (config-group-Policy) # IPSec-UDP-port 10000 priority when the above three methods are enabled: over TCP> NAT-T> over UDP