Resolving disputes allows the IPsec and NAT technologies to coexist peacefully

Currently, network security and network address translation are widely used. For any of these technologies, it is very good. Many people are thinking about how to share two good technologies but make them safe.

Network Security IPsec (IP Security) and Network Address Translation NATNet Address Translation) are widely used, but it is not easy to make them run together. From the IP point of view, NAT modifies the lower layer of the IP address, which is a betrayal of the IP address. From the application point of view, the network administrator must handle the network address problem, NAT allows users to hide their networks and hosts from external public networks in multiple ways. It is a good tool and is now used by large enterprises and small and medium-sized enterprises. Like NAT, IPsec is also a good tool that allows you to Securely connect to a remote terminal over the Internet. However, due to the IPsec protocol architecture and the lack of NAT devices supporting IPsec, many problems may occur when IPsec and NAT are running together. The simplest way to solve these problems is to add a vro to run NAT and Virtual Private Network VPN. However, in most cases, there are no redundant routers to execute this function. Therefore, to solve the problem of coexistence between the two, you must have a certain understanding of IPsec and NAT.

Basic Principles and types of NAT

NAT can solve the problem of a shortage of IP addresses, isolate internal and external networks, and provide certain network security. The solution is to use an internal address in the internal network and translate the internal address into a valid IP address on the Internet through NAT, the specific method is to replace the address domain in the IP package with a valid IP address.

NAT functions are usually integrated into routers, firewalls, ISDN routers, or individual NAT devices. The NAT device maintains a status table to map illegal IP addresses to valid IP addresses. Each packet is translated into a correct IP address in the NAT device and sent to the next level, which means a certain burden on the processor. However, for a general network, this burden is negligible.

There are three types of NAT: static NAT, dynamic address NAT, and network address port translation NAPT. Static NAT is the easiest to set. Each host in the internal network is permanently mapped to a valid address in the external network. Dynamic Address NAT defines a series of valid addresses in the external network and maps them to the internal network using dynamic allocation. NAPT maps internal addresses to different ports of an IP address of an external network. Based on different needs, the three NAT solutions have their own advantages and disadvantages.

Dynamic Address NAT only converts IP addresses. It allocates a temporary external IP address for each internal IP address, which is mainly used for dialing. Dynamic NAT can also be used for frequent remote connections. When a remote user is connected, the dynamic address NAT will assign an IP address to the user. When the user is disconnected, the IP address will be released for future use.

Network Address Port Translation (NAPTNetwork Address Port Translation) is a familiar conversion method. NAPT is widely used in access devices. It can hide Small and Medium networks behind a valid IP address. Unlike Dynamic Address NAT, NAPT maps internal connections to a separate IP address in the external network, and adds a TCP port number selected by the NAT device to the address.

When NAPT is used in the Internet, all different TCP and UDP information flows seem to come from the same IP address. This advantage is very practical in small office rooms. By applying an IP address from the ISP, multiple connections are connected to the Internet through NAPT. In fact, many SOHO remote access devices support dynamic IP addresses based on PPP. In this way, ISP does not even need to support NAPT, so that multiple internal IP addresses can share the Internet with one external IP address. Although this will cause certain channel congestion, however, considering the reduced ISP Internet access cost and ease of management, NAPT is worthwhile.

IPsec Working Mode

IPsec is an open standard that ensures channel security on the Internet. In different countries, multinational enterprises are subject to different password length import and export restrictions. IPSec enables network users and developers to adopt different encryption algorithms and keywords, thus solving the security problem that headaches multinational organizations.

IPsec generates a standard platform to develop an electronic tunnel between a secure network and two machines. Through the IPsec Security tunnel, a connection like an imaging circuit is generated in the network where data packets can be transmitted. IPsec generates such a tunnel between remote users and the local network. It also encapsulates each packet in a new package, the new package contains the information necessary for creating, maintaining, and removing tunnels when they are no longer needed.

IPsec is often used to ensure the security of the data network. Verify the identity of two users who send messages back and forth by using digital certificates and automatic authentication devices. IPsec is an ideal method for ensuring data security in large networks that require secure connections between many devices.

IPsec deployed users can ensure the security of their network infrastructure without affecting applications on each computer. This protocol is used as a pure software upgrade to the network infrastructure. This allows security and does not cost any money to transform each computer. Most importantly, IPsec allows communication between different network devices, PCs, and other computing systems.

IPsec has two modes: Transmission Mode and tunnel mode. In transmission mode, only the IPsec protocol is applied to the IP Group, and the IP header is not modified. It can only be applied to the IPsec Virtual Private Network VPN of the host. In tunneling mode, IPsec encapsulates the original IP group into an IPsec group with a new IP header, so that the original IP group is effectively hidden. Tunnel is mainly used for remote access from the host to the gateway.

There are two concerns in the IPsec protocol: Authentication Header AHAuthentication Header) and encapsulation Security load ESPEncapsulation Security Payload ).

The authentication header AH can work with many different algorithms. AH has very few applications. It needs to check whether the fields of the sending device have been changed during the routing process, and if the verification fails, the group will be discarded. In this way, AH provides an identification for the integrity and primitive nature of the data.

Encapsulation security load ESP) header provides the integration function and the reliability of IP data. Integration ensures that data is not damaged by malicious hackers, and reliability ensures the security of password technology. For IPv4 and IPv6, the ESP header is listed behind other IP addresses. Note the two optional IP header types. The segment-to-segment header is immediately processed by the system such as the router in each segment, while the terminal header is only processed by the receiving end. The ESP code can correctly send packets only when it is not disturbed by any IP header. The ESP protocol is flexible and can work under two encryption algorithms. Other conversion methods can be used between two or more IPSec systems. Now you can select algorithms including Triple-DES, RC5, IDEA, CAST, BLOWFISH, and RC4.

"Conflict" between NAT and IPsec"

NAT and AH IPsec cannot run together because, according to the definition, NAT will change the IP address of the IP group, and any change to the IP Group will be damaged by the ah id. When the NAPT function is used between two IPsec boundary points but the IPsec traffic is not configured for processing, IPsec and NAT cannot work together. In addition, in transmission mode, ESP IPsec cannot work with NAPT, because in this transmission mode, the port number is protected by ESP, and any change to the port number is considered to be damaged. In the case of ESP in tunnel mode, the TCP/UDP header is invisible, so it cannot be used to convert internal and external addresses. In this case, static NAT and ESP IPsec can work together, because only IP addresses need to be converted, it does not affect the High-level protocol.

Resolving disputes and peaceful coexistence

In order to solve the problem of ESP IPsec and NAPT sharing, the equipment manufacturer puts forward a variety of solutions. The simple method is to use a workstation to run IKE to process all IPsec groups, but only one IPsec VPN can pass through NAPT. The client can first transmit data through port 500 for negotiation, send all the IPsec groups that enter the NAPT device to the specified host, and send the required IPsec data back to the client. To make the NAPT work normally, ensure that the source port number converted between the internal network and the external network is unique. Therefore, we can use IKE for negotiation. IKE uses UDP port 500, so no special processing is required. To transmit IPsec traffic between two hosts, we need to use SPI. Each SA has an SPI. When IKE negotiation is performed during VPN installation, they exchange SPI. The NAPT device maps this pair of SPI numbers to the VPN terminals in the NAT. The SPI selected by the IPsec client is mapped to an internal IP address because the NAPT device uses it to determine where incoming traffic is sent.

Notes:

1. This dispute resolution method is only applicable to IPsec clients located outside the NAPT device to initialize IPsec VPN;

2. You must set up an IPsec gateway and use an IP address provided by the NAPT gateway for IKE negotiation. ESP uses SPI, destination address, and Protocol Number to find the SA to which the IPsec group belongs, because the IPsec gateway only uses the NAPT address to determine the IPsec client, which must be used for negotiation;

3. Many IKE authentication methods are performed by pre-setting IP addresses or password related to IP addresses. Therefore, IPsec gateway and napt ip addresses must be set for negotiation.

Related Articles]

• How to build a LAN Using a NAT Server

• Nat configuration for Huawei router 1760

• NAT instance resolution for SIP