The IPSEC NAT Traversal feature introduces IPSEC traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) device in the network by addressing many incompatibilities between NAT and IPSEC.
NAT Traversal is a UDP encapsulation which allows traffic to get the specified destination when a device does not have a public address.
IPSEC provides confidentiality, authenticity and integrity. However, problem occurs when a NAT device does its NAT translations, however the address of the source within the IP payload does not match the source address of the IKE packet as it is replaced by the address of the NAT device during NAT translation. Authenticity, integrity will break which will cause the packet by the remote peer to be dropped.
NAT and IPSEC are incompatible with each other and it can be resolved by using NAT Traversal. NAT Traversal adds a UDP header which encapsulates the IPSEC ESP packet. New UDP packet is not encrypted and is treated just like a normal UDP packet the NAT device can make the required changes and process the message which would now overcome the problem.
Related – Proxy vs NAT
NAT and IPSEC Incompatibility and Solution
- Internet Key Exchange (IKE) IP Address and NAT
This incompatibility applies only when IP addresses are used as a search key to find a pre shared key. Modification of the IP source or destination addresses by NAT or reverse NAT results in a mismatch between the IP address and the pre shared key.
- Embedded IP Addresses and NAT
Because the payload is integrity protected, any IP address enclosed within IPSEC packets cannot be translated by NAT because embedded IP address is used by FTP, SNMP, LDAP and SIP.
UDP encapsulation addresses incompatibility issues between IPSEC and NAT.
- Incompatibility between IPSEC ESP and PAT Resolved
To prevent this situation UDP encapsulation is used to hide the ESP packet behind the UDP header. PAT treats the ESP packet as a UDP packet and the ESP packet as a normal UDP packet.
- Incompatibility between Checksums and NAT Resolved
The checksum value is always zero. This value prevents an intermediate device from validating the checksum result against the packet checksum. Resolving the TCP UDP checksum issue by NAT changes the IP source and destination addresses.
- Incompatibility between IKE Destination Ports and PAT Resolved
PAT changes the port in the new UDP header for translation and leaves the original payload as it is. In phase 1 setup, three ports must be open on the device that is doing NAT for VPN –
- UDP port 4500 for NAT traversal
- UDP port 500 for IKE and
- IP protocol 50 or ESP
After this, the data is sent using IPSEC over UDP which is effectively NAT Traversal. The receiving peer first De-capsulate the IPSEC packet from its UDP packet and then processes the traffic as a standard IPSEC packet.
Benefits of NAT Traversal
Before the NAT traversal, a standard IPSEC virtual private network (VPN) tunnel would not work if there were one or more NAT or PAT device in the path of the IPSEC packet. NAT IPSEC feature aware allows remote access users to build IPSEC tunnels to home gateways. The IPSEC NAT Transparency feature permits IPSEC traffic to travel through NAT or PAT device in the network by encapsulating IPSEC packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT configured devices.
- Configuring NAT Traversal
NAT Traversal is a feature that is auto detected and enabled by default. There are no configuration steps. If both devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
- Disabling NAT Traversal
To disable NAT traversal, following command is used –
#no crypto IPSEC NAT-transparency udp-encapsulation
NAT-T is a method of assigning Public IP address and encountering problem when data protected by IPsec passes through a NAT device and changes to the IP address cause IKE to discard packets. During the Phase 1 exchanges, NAT-Traversal adds a UDP encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP port 4500 used as both the source and destination port.
Related – NAT CHEATSHEET