Scribd
Upload
126 views

NAT Traversal Tutorial - IPSec Over NAT

NAT traversal (NAT-T) allows IPSec traffic to traverse NAT devices by encapsulating IPSec packets within UDP headers. This addresses issues where NAT devices cannot process encrypted IPSec packets and break the authentication and integrity checks. With NAT-T, the NAT device processes the unencrypted UDP wrapper and makes address translations, then the receiving peer unwraps the UDP header to process the standard IPSec packet. For VPNs using NAT-T, ports 4500 UDP, 500 UDP, and 50 IP must be open on the NAT device. The recommended approach is to use a public IP address to eliminate the need for NAT-T.

Uploaded by

Narendra Pattanayak
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
126 views

NAT Traversal Tutorial - IPSec Over NAT

NAT traversal (NAT-T) allows IPSec traffic to traverse NAT devices by encapsulating IPSec packets within UDP headers. This addresses issues where NAT devices cannot process encrypted IPSec packets and break the authentication and integrity checks. With NAT-T, the NAT device processes the unencrypted UDP wrapper and makes address translations, then the receiving peer unwraps the UDP header to process the standard IPSec packet. For VPNs using NAT-T, ports 4500 UDP, 500 UDP, and 50 IP must be open on the NAT device. The recommended approach is to use a public IP address to eliminate the need for NAT-T.

Uploaded by

Narendra Pattanayak
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

5/29/2017 NATTraversaltutorialIPSecoverNAT

NATTraversaltutorialIPSecoverNAT

NATT(NATTraversal)
NatTraversalalsoknownasUDPencapsulationallowstraffictogettothespecified
destinationwhenadevicedoesnothaveapublicaddress.Thisisusuallythecaseifyour
ISPisdoingNAT,ortheexternalinterfaceofyourfirewallisconnectedtoadevicethat
hasNATenabled.

AswellasIPSecprovidingconfidentiality,italsoprovidesauthenticityandintegrity.Now
theproblemiswhenaNATdevicedoesitsNATtranslations,theembeddedaddressof
thesourcecomputerwithintheIPpayloaddoesnotmatchthesourceaddressoftheIKE
packetasitisreplacedbytheaddressoftheNATdevice.Thismeansbreakingthe
authenticitywhichwillcausethepacketbytheremotepeertobedropped.Sowhenthe
NATdevicealtersthepacket,it'sintegrityandauthenticationwillfail.

Alsoinsomecasesdependingonthelevelofencryption,thepayloadandinparticular
theheadersareencryptedwhenusingIPSecESPmode.TheNATdevicecannotchange
theseencryptedheaderstoitsownaddresses,ordoanythingwiththem.

TheNATdeviceinthemiddlebreakstheauthenticity,integrityandinsomecasescan
notdoanythingatallwiththepacket.ItisclearNATandIPSecareincompatiblewith
eachother,andtoresolvethisNATTraversalwasdeveloped.NATTraversaladdsaUDP
headerwhichencapsulatestheIPSecESPheader.AsthisnewUDPwrapperisNOT
encryptedandistreatedasjustlikeanormalUDPpacket,theNATdevicecanmakethe
requiredchangesandprocessthemessage,whichwouldnowcircumventtheabove
problems.AlsoenablingNatTraversalonthegatewaysresolvestheproblemwiththe
authenticityandintegritychecksaswell,astheyarenowawareofthesechanges.

Duringphase1,ifNATTraversalisused,oneorbothpeer'sidentifytoeachotherthat
theyareusingNATTraversal,thentheIKEnegotiationsswitchtousingUDPport4500.
AfterthisthedataissentandhandledusingIPSecoverUDP,whichiseffectivelyNAT
Traversal.ThereceivingpeerfirstunwrapstheIPSecpacketfromitsUDPwrapper(the
NATTraversalpartthatoccurredatthesendingpeerend)andthenprocessesthetraffic
asastandardIPSecpacket.

ThreeportsinparticularmustbeopenonthedevicethatisdoingNATforyourVPNto
workcorrectly.TheseareUDPport4500(usedforNATtraversal),UDPport500(used
forIKE)andIPprotocol50(ESP).

HowevertheultimatefixtothisistouseapublicIPaddressonyourfirewallsexternal
interface.Thisisalsotherecommendedmethod,andwilleliminatetheuseofNATT.

http://www.internetcomputersecurity.com/VPNGuide/NATT.html 1/1

You might also like