authorized reprint by author zhushigeng(Vinsoney)
As shown in the above figure, PC1 and FW1 are devices in Site 1, NAT-Device, FW2, and PC2 are devices in Site 2. FW1 and FW2 are IPSecVPN gateways, and site-to-site IPSecVPN is to be established between the two sites. Because the IPSecVPN gateway in Site 2 is behind the NAT device of the site and uses the private IP address space, in order to ensure that FW1 can communicate with FW2, a NAT server is deployed on the NAT-Device, and the UDP500 port of the public network address 200.2.2.2 is mapped to the UDP500 port of 10.0.0.2. FW1 uses 200.2.2.2 to access FW2.
First consider the problem of establishing an IPSec VPN tunnel when FW1 and FW2 disable NAT Traversal (or FW1 and FW2 do not support NAT Traversal). The negotiation of IPSecVPN is performed by ISAKMP, and ISAKMP is based on UDP. The source and destination ports are UDP500. Therefore, ISAKMP packets can be successfully translated by NAT-Device. Finally, IPSecVPN can be established. Viewing IPSec SAs on FW1 and FW2 is to see SAs that have been negotiated. However, there is a problem with the two PCs to access each other between the two sites. We consider PC1 to access PC2:
The packet sent by PC1 is as shown. when the packet arrives at FW1, it matches the IPSecVPN on FW1. Therefore, the packet is encrypted, hashed, and then the ESP header is encapsulated, and a new IP header is encapsulated. The processed packet is sent to the public network and transmitted to the NAT-Device. Although the NAT server port mapping is deployed on the NAT-Device, the received packet is an IP packet, the ESP haeder followes the IP header, without the UDP header, it is impossible for the NAT device to translate the packet and forward it to FW2. Therefore, the packet will be discarded by the NAT-Device. This leads to the problem that although the IPSec VPN tunnel has been established, the protected traffic between the two sites cannot communicate with each other.
The solution is to enable the NAT trasversal function on FW1 and FW2. After the function is activated, NAT trasversal negotiation will be performed in the first phase of FW1 and FW2 IKE negotiation, and it's able to judge that if there are other NAT devices between the firewall through the exchanging the ISAKMP packets. If there is another NAT device, the UDP source and the destination port 4500 are used to transmite the 5th and 6th packets of the IKE in phase 1 and the three ISAKMP packets of the subsequent in fast mode and the ESP packets used to carry the user data. In this way, packets can be translated correctly when they traverse NAT-Device. One thing to be noted here is to add port 4500 mappings on the NAT-Device.
In this way, when the data sent by PC1 reaches FW1, FW1 encapsulates the packet with the ESP header, and then encapsulates a UDP header. The source and destination port numbers are all 4500 (this port number is dedicated to IPSec-NAT). ), and finally encapsulate the IP header of the tunnel. After the completion of the message, it is delivered to NAT-Device. NAT-Device found that this is a UDP packet with a destination port of 4500, and local port mapping is configured to map 200.2.2.2:4500 to 10.0.0.2:4500, so the destination IP is converted to 10.0.0.2 and the packet is forwarded. For FW2, the next process will not go into details.
example of configuring the IPSecVPN NAT
configuration:
[FW1] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
[FW1] acl number 3000
[FW1-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
#configure IKE Proposal,this is the strategy of IKE Phase One:
[FW1] ike proposal 1
[FW1-ike-proposal-1] authentication-method pre-share
[FW1-ike-proposal-1] authentication-algorithm sha1
[FW1-ike-proposal-1] encryption-algorithm 3des-cbc
#configure IPSec Proposal,this is the strategy of IKE Phase two:
[FW1] ipsec proposal myset
[FW1-ipsec-proposal-myset] transform esp
[FW1-ipsec-proposal-myset] esp authentication-algorithm sha1
[FW1-ipsec-proposal-myset] esp encryption-algorithm 3des
#configure IKE peer,pre-shared-key、relate IKE proposal assign the remote peer IP address:
[FW1] ike peer fw2
[FW1-ike-peer-fw2] pre-shared-key Huawei123
[FW1-ike-peer-fw2] ike-proposal 1
[FW1-ike-peer-fw2] remote-address 200.2.2.2
[FW1-ike-peer-fw2] remote-address authentication-address 10.0.0.2
[FW1-ike-peer-fw2] nat traversal
#configure IPsec Policy:
[FW1] ipsec policy mymap 1 isakmp
[FW1-ipsec-policy-isakmp-mymap-1] security acl 3000
[FW1-ipsec-policy-isakmp-mymap-1] ike-peer fw2
[FW1-ipsec-policy-isakmp-mymap-1] proposal myset
#apply IPsec Policy:
[FW1] interface GigabitEthernet0/0/2
[FW1-GigabitEthernet0/0/2] ipsec policy mymap
#allow the traffic from the local zone to the untrust zone, this could enable FW1 send ISAKMP negotiation traffic and the traffic which should be encrypted and sent to FW2 after the tunnel established:
[FW1] policy interzone local untrust outbound
[FW1-policy-interzone-local-untrust-outbound] policy 0
[FW1-policy-interzone-local-untrust-outbound-0] policy destination 200.2.2.2 0
[FW1-policy-interzone-local-untrust-outbound-0] action permit
#allow IPSecVPN tunnel traffic comes from the remote peer:
[FW1] policy interzone local untrust inbound
[FW1-policy-interzone-local-untrust-inbound] policy 0
[FW1-policy-interzone-local-untrust-inbound-0] policy source 200.2.2.2 0
[FW1-policy-interzone-local-untrust-inbound-0] action permit
#allow intranet traffic comes comes from remote peer
[FW1] policy interzone trust untrust inbound
[FW1-policy-interzone-trust-untrust-inbound] policy 0
[FW1-policy-interzone-trust-untrust-inbound-0] policy source 10.2.2.0 0.0.0.255
[FW1-policy-interzone-trust-untrust-inbound-0] policy destination 10.1.1.0 0.0.0.255
[FW1-policy-interzone-trust-untrust-inbound-0] action permit
#allow traffic from local intranet network to the remote intranet:
[FW1] policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound] policy 0
[FW1-policy-interzone-trust-untrust-outbound-0] policy source 10.1.1.0 0.0.0.255
[FW1-policy-interzone-trust-untrust-outbound-0] policy destination 10.2.2.0 0.0.0.255
[FW1-policy-interzone-trust-untrust-outbound-0] action permit
FW2 configuration:
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
[FW2] acl number 3000
[FW2-acl-adv-3000] rule permit ip source 10.2.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW2] ike proposal 1
[FW2-ike-proposal-1] authentication-method pre-share
[FW2-ike-proposal-1] authentication-algorithm sha1
[FW2-ike-proposal-1] encryption-algorithm 3des-cbc
[FW2] ipsec proposal myset
[FW2-ipsec-proposal-myset] transform esp
[FW2-ipsec-proposal-myset] esp authentication-algorithm sha1
[FW2-ipsec-proposal-myset] esp encryption-algorithm 3des
[FW2] ike peer fw1
[FW2-ike-peer-fw1] pre-shared-key Huawei123
[FW2-ike-peer-fw1] ike-proposal 1
[FW2-ike-peer-fw1] remote-address 200.1.1.1
[FW2-ike-peer-fw1] nat traversal
[FW2] ipsec policy mymap 1 isakmp
[FW2-ipsec-policy-isakmp-mymap-1] security acl 3000
[FW2-ipsec-policy-isakmp-mymap-1] ike-peer fw1
[FW2-ipsec-policy-isakmp-mymap-1] proposal myset
[FW2] interface GigabitEthernet0/0/2
[FW2-GigabitEthernet0/0/2] ipsec policy mymap
[FW2] policy interzone local untrust outbound
[FW2-policy-interzone-local-untrust-outbound] policy 0
[FW2-policy-interzone-local-untrust-outbound-0] policy destination 200.1.1.1 0
[FW2-policy-interzone-local-untrust-outbound-0] action permit
[FW2] policy interzone local untrust inbound
[FW2-policy-interzone-local-untrust-inbound] policy 0
[FW2-policy-interzone-local-untrust-inbound-0] policy source 200.1.1.1 0
[FW2-policy-interzone-local-untrust-inbound-0] action permit
[FW2] policy interzone trust untrust inbound
[FW2-policy-interzone-trust-untrust-inbound] policy 0
[FW2-policy-interzone-trust-untrust-inbound-0] policy source 10.1.1.0 0.0.0.255
[FW2-policy-interzone-trust-untrust-inbound-0] policy destination 10.2.2.0 0.0.0.255
[FW2-policy-interzone-trust-untrust-inbound-0] action permit
[FW2] policy interzone trust untrust outbound
[FW2-policy-interzone-trust-untrust-outbound] policy 0
[FW2-policy-interzone-trust-untrust-outbound-0] policy destination 10.1.1.0 0.0.0.255
[FW2-policy-interzone-trust-untrust-outbound-0] policy source 10.2.2.0 0.0.0.255
[FW2-policy-interzone-trust-untrust-outbound-0] action permit
