NAT traversal [Dr.WoW] [No.36]

Latest reply: Aug 19, 2015 02:27:03 4194 1 0 0

This post post underlines the topic of NAT traversal. Please find more details on it below.

Previously, we learned that the template IPSec policy can be used to establish an IPSec tunnels when the host connects to sub-hosts without fixed egress IP addresses. At this point, regardless of whether or not the sub-host is using a fixed or dynamic public IP address, it can still safely access the host through the IPSec tunnel. All was well for the Tiandihui.

And yet the lands of the Internet never remain calm for long. Tiandihui faced yet another challenge. Some sub-hosts did not even have dynamic public IP addresses! They could only access the Internet through network NAT device address. Can these sub-hosts access the host as usual? Also, apart from sub-host access to the host, they still need to access the Internet; some sub-hosts have both IPSec and NAT configured on their firewalls; can the two peacefully coexist? Two answer these two questions, let's listen to Dr. WoW.

1 Overview of NAT Traversal Scenarios

First, let's take a look at networks with NAT devices. As shown in Figure 1-1, if the sub-host firewall interface IP is a private network address, it must be transformed by an NAT device. The address can only be used to establish an IPSec tunnel with the host firewall after it has been transformed into a public IP address.

Figure 1-1 NAT traversal scenario

55d3dbaf15d9a.png 

 

As we all know, IPSec is used to ensure that packets cannot be modified; NAT, on the other hand, are specially made to modify packet IP addresses. It feels like we're mixing fire with ice. After taking a closer look though, we can see that, first of all, the IPSec negotiation process is completed via ISAKMP messages; ISAKMP messages are UDP-encapsulated, the source and destination port numbers for which are both 500; NAT devices can transform the IP address and ports of these messages, and as such, ISAKMP messages can be successfully transformed by NAT transform to complete IPSec SA negotiation. However data traffic is transferred via the AH or ESP protocol; this throws a wrench in the NAT transformation process. Below, we'll take a look at whether or not AH and ESP packet s can pass through NAT devices.

l   AH protocol

Because AH performs an integrity check on data, it will perform a HASH computation for all IP packets within the IP address. NAT, on the other hand, will change the IP addresses, thereby breaking the AH HASH values. As such, AH packets cannot pass through the NAT gateway.

l   ESP protocol

ESP performs an integrity check on data, but this check does not include the external IP header; as such, ID address translation will not break the ESP HASH value. However, because the ESP packet TCP port is encrypted and cannot be changed, because ports are simultaneously transformed by the NAT, ESP cannot be supported.

To better understand these issues, we must first take a look at the NAT traversal function (nat traversal) that occurs on both firewalls when the IPSec tunnel is established. After the NAT traversal function is activated and when the NAT device must be traversed, the ESP packet will be encapsulated to the UDP header; the source and destination port number will both be 4500. The IP address and port of IPSec packets with this kind of UDP header won't be modified by the NAT device.

Given the different NAT device settings and address transformation functions, we'll introduce this topic from the following three different scenarios.

Scenario 1: Post-NAT Transformation Sub-Host Public IP Address Unknown

As shown in Figure 1-2, when there is an NAT device within the carrier network, the sub-host FW interface GE0/0/2 private IP address will become a public IP address when transformed by the NAT device. Because Tiandihui has no way of knowing the sub-host's public IP address when transformed by the NAT device, there's no way for the host FW to explicity designate the peer sub-host public IP address. As such, the host FW must use the template method to configure the IPSec policy; at the same time, the host and sub-host FWs both must activate the NAT traversal function.

In this scenario, the host still uses the template method, so it cannot actively access the sub-host; only the sub-host can actively initiate access to the host.

Figure 1-2 Post-NAT transformation sub-host public IP address unknown

55d3dbcfdf1c4.png 

Host and sub-host FW key configuration is as shown in Table 1-1.

Table 1-1 NAT traversal configuration (1)

Key Configuration

Host FW_A

Sub-Host FW_B

IPSec Proposal

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IKE Peer

ike peer sub-host

 pre-shared-key tiandihui1

 ike-proposal 10

nat traversal / both ends start simultaneously, default start

ike peer host

 pre-shared-key tiandihui1

 ike-proposal 10

 remote-address 1.1.1.1

nat traversal / /both ends start simultaneously, default start

IPSec Policy

IPSec policy-template tem1 1 // template method configuration

 security acl 3000

 proposal pro1

 ike-peer sub-host

IPSec policy policy1 1 isakmp template tem1

IPSec policy policy1 1 isakmp

 security acl 3000

 proposal pro1

 ike-peer host

 

Scenario 2: Post-NAT Transformation Sub-Host Public IP Address Known

As shown in Figure 1-3, when there is an NAT device within the sub-host network, the sub-host FW interface GE0/0/2 private IP address will be become a public IP address when transformed by the NAT device. Because the NAT device is within the scope of the sub-host's control, the transformed public IP address will be known, so the host FW can use both the template and IKE methods for IPSec policy configuration.

It must be noted that even if the IKE method is used, the host still cannot actively establish an IPSec tunnel with the sub-host. This is not an IPSec issue but rather an NAT device issue. The NAT device can only transform the source address for sub-host --->host access; once the sub-host is "hidden" by the NAT device, host--->sub-host access is impossible. If the host needs to actively accesss the ub-host FW_B private network address, the NAT Server function must be configured on the NAT device; we'll discuss this in Scenario 3.

Figure 1-3 Post-NAT transformation sub-host public IP address known

55d3dbe763b04.png 

Using the IKE IPSec policy as an example, host and sub-host FW key configuration is as shown in Table 1-2.

Table 1-2 NAT traversal configuration (2)

Key Configuration

Host FW_A

Sub-Host FW_B

IPSec Proposal

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IKE Peer

ike peer sub-host

 pre-shared-key tiandihui1

 ike-proposal 10

nat traversal // both ends start simultaneously, default start

remote-address 2.2.2.10 //peer address is the post-NAT address. When IKE used, because peer address is a single address, only one address from the NAT device address pool can be used. When template used, this does not apply.

remote-address authentication-address 172.16.0.1 // Authentication address is the pre-NAT address. When template used, this does not apply.

ike peer host

 pre-shared-key tiandihui1

 ike-proposal 10

 remote-address 1.1.1.1

nat traversal // both ends start simultaneously, default start

IPSec Policy

IPSec policy policy1 isakmp

 security acl 3000

 proposal pro1

 ike-peer sub-host

IPSec policy policy1 1 isakmp

 security acl 3000

 proposal pro1

 ike-peer host

 

Scenario 3: NAT Device with NAT Server Functions

As shown in Figure 1-4, when the NAT device is within the sub-host network, it will provide the NAT Server function; the publicly issued address is 2.2.2.20, and the mapped private network address is the sub-host FW interface GE0/0/2 address 172.16.0.1. When the host FW uses the IKE method to configure the IPSec policy, host--->sub-host access is possible.

When NAT Server is configured on the NAT device, the 2.2.2.20 UDP 500 and 4500 ports will be mapped respectively to the 172.16.0.1 UDP 500 and 4500 ports; the specific configuration is as follows:

[NAT] nat server protocol udp global 2.2.2.20 500 inside 172.16.0.1 500

[NAT] nat server protocol udp global 2.2.2.20 4500 inside 172.16.0.1 4500

Meanwhile, because the NAT Server configuration on the NAT device will generate a reverse Server-map table, the sub-host FW will also be able to actively initiate access to the host. Once the packet arrives at the NAT device and matches the reverse Server-map table, the source address will be transformed to 2.2.2.20, thereby making sub-host --->host access possible.

Figure 1-4 NAT device with NAT server functions

55d3dc18d5066.png 

Host and sub-host FW key configuration is as shown in Table 1-3.

Table 1-3 NAT traversal configuration (3)

Key Configuration

Host FW_A

Sub-Host FW_B

IPSec Proposal

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IPSec proposal pro1

 transform esp // ESP protocol transform packet used

IKE Peer

ike peer sub-host

 pre-shared-key tiandihui1

 ike-proposal 10

nat traversal // both ends start simultaneously, default start

remote-address 2.2.2.20 //peer addressis the Server's Global address

remote-address authentication-address 172.16.0.1 // authentication address is the pre-NAT transformation address

ike peer host

 pre-shared-key tiandihui1

 ike-proposal 10

 remote-address 1.1.1.1

nat traversal // both ends start simultaneously, default start

IPSec Policy

IPSec policy policy1 isakmp

 security acl 3000

 proposal pro1

 ike-peer sub-host

IPSec policy policy1 1 isakmp

 security acl 3000

 proposal pro1

 ike-peer host

 

Three characteristics of NAT traversal configuration:

l   The two firewalls must both activate the NAT traversal function (nat traversal), that is, only one firewall egress is a private IP address.

l   Because the sub-host firewall egress is "hidden" by the NAT device, the tunneling peer IP address "visible to the host firewall is the post-NAT transformation public IP address. So, when the host uses the IKE IPSec policy, the remote-address command designated IP address is the NAT-transformed address and no longer the peer initiated IKE negotiation private network address.

l   Because the remote-address command designated public IP address can no longer be used for identity authentication, an additional command must be added, i.e. the remote-address authentication-address command to designate the peer identity authentication address (this must be the peer device's pre-NAT transformation address, the actual IKE negotiation initiating address); this IP address is used locally to authenticate the peer device.

Of course, if the host uses a template-configured IPSec policy, it will still automatically give up its rights to actively initiate access nor will it be able to authenticate the peer device; as such, the remote-address and remote-address authentication-address commands don't need to be configured.

Next, we'll use the second scenario to introduce how IPSec can traverse NATs when IKEv1 and IKEv2 are used.

2 IKEv1 NAT Traversal Negotiation (Main Mode)

The IKEv1 main mode NAT traversal negotiation packet interaction process is as follows:

2.         When NAT traversal begins, the IKEv1 negotiation phase 1 messages (1) and (2) will be marked with the NAT traversal (NAT-T) Vendor ID payload to check whether or not both ends of the communication support NAT-T.

55d3dc2d995b5.png 

When the messages from both ends include this payload, only then will the relevant NAT-T negotiation begin.

3.         Main mode messages (3) and (4) will be sent with the NAT-D (NAT Discovery) payload. The NAT-D payload is used to detect whether or not the two firewalls that wish to establish the IPSec tunnel have NAT gateways and NAT gateway settings.

55d3dc4a5dcdb.png 

If both ends of the negotiation send source and destination IP addresses and port HASH values to peers through the NAT-D, changes in the address and port transfer process can be detected. If the packet computer HASH value received by the recipient is the same as the HASH value sent by the peer, the table will display that there is no NAT device; otherwise, it will indicate that an NAT device transformed the packet's IP address and port during the transfer process.

The first NAT-D payload is the peer IP and port HASH value; the second NAT-D payload is the local IP and port HASH value.

4.         Once the NAT gateway is discovered, the port number of subsequent ISAKMP messages (main mode from message (5)) will be transformed to 4500. The ISAKMP packet ID is "Non-ESP Marker".

55d3dc62e4e86.png 

5.         When the second IKEv1 phase negotiates whether or not to use the NAT transformation and traversal, the IPSec packet will be encapsulated: as a UDP encapsulation tunnel packet (UDP-Encapsulated-Tunnel) and UDP encapsulation transfer packet (UDP-Encapsulated-Transport).

To encapsulate the UDP header for the ESP packet, the UDP packet port number is 4500. When the encapsulated packet goes through the NAT device, the NAT device will transform the address and port number of the packet‘s outer IP header and added UDP header.

55d3dc7243ac5.png 

3 IKEv2 NAT Traversal Negotiation

The IKEv2 NAT traversal negotiation packet interaction process is as follows:

6.         Once the NAT traversal begins, the IKE initiator and responder will both set the notify payload in the IKE_SA_INIT message to NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP. These two notify payloads are used to detection whether or not an NAT exists between the two firewalls that wish to establish an IPSec tunnel and which firewall is post-NAT. If the NAT_DETECTION_SOURCE notify payload received does not match the packet IP header's source IP and port HASH value, this indicates that the peer is behind an NAT gateway. If the NAT_DETECTION_DESTINATION_IP notify payload received does not match the packet IP header's destination IP and port HASH value, this means that the local peer is behind the NAT gateway.

55d3dc817bf7e.png 

7.         Once the NAT gateway is detected, from the IKE_AUTH message on, the ISAKMP packet port number will change to 4500. The packet ID is "Non-ESP Marker".

55d3dc90e6483.png 

IKEv2 also uses UDP to encapsulate the ESP packet; the UDP packet port number is 4500. When the encapsulated packet goes through the NAT device, the NAT device will perform an address and port number transformation for the packet's outer IP header and added UDP header.

55d3dca02347a.png 

In the second scenario, the configured PC_A can ping to PC_B. Check the IKE and IPSec SAs on the host FW_A:

<FW_A> display ike sa

current ike sa number: 2

---------------------------------------------------------------------------

conn-id peer flag phase vpn

---------------------------------------------------------------------------

40014 2.2.2.10: 264 RD v1: 2 public

40011 2.2.2.10: 264 RD v1: 1 public

Check host FW_A session:

<FW_A> display firewall session table

Current Total Sessions: 2

 udp VPN: public --> public 2.2.2.10: 2050-->1.1.1.1: 4500

 udp VPN: public --> public 2.2.2.10: 2054-->1.1.1.1: 500

Check sub-host FW_B session:

<FW_B> display firewall session table

Current Total Sessions: 2

 udp VPN: public --> public 172.16.0.1: 4500-->1.1.1.1: 4500

 udp VPN: public --> public 172.16.0.1: 500-->1.1.1.1: 500 //at the start of the negotiation, the port number is still 500

Because source NAT transform is configured on the NAT device, there can only be sub-host to host sessions on the sub-host FW_B and no host to sub-host sessions.

4 IPSec and NAT for a Single Firewall

We discussed IPSec NAT traversal, but what happens when the IPSec and NAT are configured on the same firewall?

As shown in Figure 1-5, when the IPSec and NAPT are configured on the sub-host FW_B at the same time, the IPSec is used to protect the traffic of sub-host to host communications when NAPT deals with the traffic of the sub-host's access to the Internet. When IPSec and the NAT Server are configured on the host FW_A, the IPSec is used to protect the traffic of host to sub-host communications when NAT Server deals with the traffic of the Internet user's access to the host server.

Figure 1-5 IPSec and NAT for a single gateway

55d3dcb008ddb.png 

Arguably, the IPSec and NAT traffic on the two firewalls should be entirely different and unrelated; instead, however, in this case, the IPSec and NAT traffic overlap, and in the firewall forwarding process, the NAT is upstream and the IPSec is downstream; as such, IPSec traffic will not be interrupted by the NAT process. In other words, the traffic that was supposed to be sent through the IPSec tunnel will be transformed by the NAT as soon as the NAT policy is in place; the transformed traffic will no longer match that of the IPSec ACL and cannot be used in IPSec. As such, if the IPSec and NAT relationship is not ironed out at this point, all sorts of baffling problems will arise.

l   For the sub-host, the sub-host user access to the host user will be unsuccessful. Upon investigation, it will show that the sub-host user access traffic to the host user did not enter the IPSec tunnel, matching the NAT policy.

l   For the host, the host server access to the sub-host user will be unsuccessful, as the access traffic matches the NAT Server reverse Server-map table such that it cannot enter the IPSec tunnel.

The method for solving these two problems is simple, as follows:

l   When an IPSec and NAPT are on a single firewall, the requirements are as follows:

When configuring our NAT policy, we must set a specific policy to not transform IPSec traffic addresses; this policy's priority must be higher than that of other policies, and the traffic range defined in this policy must be a subset of other policies. In this way, IPSec traffic will first be excluded from the NAT transformation policy so that the addresses won't be transformed nor will transformation have an impact on future IPSec troubleshooting; traffic that must go through NAT troubleshooting will be transformed as usual according to other policies.

Next, we'll take a look at a string of NAT policy configuration script; we've configured two NAT policies - policy 1 and policy 2 in the Trust-->Untrust security zone:

nat-policy interzone trust untrust outbound

policy 1 // IPSec protected traffic must not be transformed by NAT

 action no-nat

 policy source 172.16.1.0 mask 24

 policy destination 192.168.0.0 mask 24

policy 2 // Internet access traffic transformed by NAT

action source-nat

policy source 172.16.1.0 mask 24

address-group 1

l   When an IPSec and NAT Server are on a single firewall, the requirements are as follows:

When configuring the NAT Server, designate no-reverse parameters, and do not generate a reverse Server-map table.

[FW_A] nat server protocol tcp global 1.1.1.1 9980 inside 192.168.0.1 80 no-reverse

The key to understanding the issues above is to understand the firewall forwarding process. The firewall forwarding process is incredibly complicated, and here, we'll only breach the tip of the iceberg.

 

To view the list of all Dr. WoW technical posts, click here.


  • x
  • convention:

user_2790689
Created Aug 19, 2015 02:27:03 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login