IPSec Transparent tunneling

Introduction

Network Address Translation (NAT) was developed to address the problem of Internet Protocol Version 4 (IPV4) running out of address space. Today, home users and small office networks use NAT as an alternative to buying registered addresses. Corporations implement NAT alone or with a firewall to protect their internal resources.


Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single routable (public) address; this is also known as Port Address Translation (PAT). The association is implemented at the port level. The PAT solution creates a problem for IPSec traffic that does not use any ports.

IPSec issues with PAT

•     How PAT Works?
•     Why IPSec will not Support PAT?

How PAT Works

How PAT Works

Why IPSec will not Support PAT

                      PAT can translate IKE packets using its inherent UDP port number. The problem arises when the VPN devices tries to establish the IPSec session. IPSec uses ESP/AH. ESP & AH does not use UDP or TCP port number. The PAT method of translating UDP or TCP port number does not work with IPSec. The translating device drops the IPSec frame.

Encapsulating Security Payload

                      IP 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices do not work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs).

The can be solved by "IPSec over UDP", "NAT transparent (NAT-T)" or "IPSec over TCP" by encapsulating ESP within TCP or UDP and sending it to a negotiated port.

IPSec over UDP

IPSec over UDP is negotiated during tunnel establishment. During tunnel negotiations, if enabled in both the Cisco VPN client and the Concentrator, IPSec is wrapped in UDP. This is configured on a group-by-group basis.  IPSec over UDP can be configured from 4001 – 49151

IPSec over UDP

NAT-T

Network Address Translation - Traversal (NAT-T) is a standard based IPSec over UDP solutions. NAT-T performs two tasks: detects if both ends supports NAT-T and detects intermediate NAT devices along the transmission path.

During IKE phase 1, the client and the IPSec gateway exchange Vendor Identification (VID) packets to detect whether the other end supports NAT-T .

Step one occurs in ISAKMP Main Mode messages one and two.  If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four.  The NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists.

If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages five and six, at which point all ISAKMP packets change from UDP port 500 to UDP port 4500.  NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.  After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for translation.


NAT-T uses the port UDP 4500

NAT-T

IPSec over TCP

A third type of transparent tunneling support is IPSec over TCP. with IPSec over TCP there is no room for negotiation like there is IPSec over UDP. IPSec over TCP packets are encapsulated from the start of the tunnel establishment cycle.

If all three are active IPSec over TCP take the precedence over both NAT-T and IPSec over UDP. The reason is IPSec over TCP encapsulate both IKE and IPSec. IPSec over TCP implements the default port 10000. The IPSec over TCP uses the port range from 1 to 65535.

IPSec over TCP

Overview of IPSec Packet Structure after Transparent tunneling

Overview of IPSec Packet Structure after Transparent tunneling

Leave your comment below