what's NAT traversal and how to work

Created: Jun 18, 2019 09:07:01Latest reply: Jun 18, 2019 09:19:35 92 2 0 0
  Rewarded Hi-coins: 0 (problem resolved)

what's NAT traversal  and how to work

  • x
  • convention:

Featured Answers
dr.wow
Official Created Jun 18, 2019 09:19:20 Helpful(1) Helpful(1)

When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends.
Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway.
Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet. https://support.huawei.com/hedex/hdx.do?docid=EDOC1100068394&id=dc_cfg_ipsec_0058&text=VPN&lang=en
  • x
  • convention:

All Answers
dr.wow
dr.wow Official Created Jun 18, 2019 09:19:20 Helpful(1) Helpful(1)

When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends.
Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway.
Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet. https://support.huawei.com/hedex/hdx.do?docid=EDOC1100068394&id=dc_cfg_ipsec_0058&text=VPN&lang=en
  • x
  • convention:

wissal
wissal MVE Created Jun 18, 2019 09:19:35 Helpful(0) Helpful(0)

Hello,
Nat Traversal also known as UDP encapsulation allows traffic to get to the specified destination when a device does not have a public address. This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a device that has NAT enabled.
The receiving peer first unwraps the IPSec packet from its UDP wrapper (the NAT Traversal part that occurred at the sending peer end) and then processes the traffic as a standard IPSec packet. Three ports in particular must be open on the device that is doing NAT for your VPN to work correctly.
Thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login