From: Mark Lewis (markl11@hotmail.com)
Date: Sat Jun 03 2006 - 20:08:11 ART
Hi,
>
>I am having difficult time in doing some lab based on NAT and IPsec. Could
>some one share any good document which has some scenario based on NAT and
>IPsec.
>
Hmmm....there are quite a number of issues with IPsec and NAT:
1. NAT/PAT can cause IKE negotiation initiated by IPsec peers on outside
networks to fail.
2. NAT/PAT can cause rekeying to fail when NAT/PAT is based on IKE cookies.
3. NAT/PAT can break IP address IKE identifier verification.
4. NAT/PAT can cause IPsec peers to drop ISAKMP traffic.
5. NAT/PAT causes IPsec devices to drop all AH traffic.
6. NAT/PAT devices might not translate ESP packets.
7. NAT/PAT based on SPI selection can cause ESP packets to be dropped.
8. NAT/PAT translation timeouts can cause ESP traffic to be dropped.
9. NAT/PAT can cause TCP/UDP header checksum verification to fail when
TCP/UDP traffic is transported over ESP.
10. NAT/PAT can cause applications with embedded IP addresses to fail.
11. Unintentional NAT of user packets can cause these packets not to be sent
over the IPsec tunnel.
There are a number of ways around these issues, including:
1. Configure static NAT entries to allow IPsec gateways on the outside
network to initiate IKE.
2. Use an IPsec-aware NAT/PAT device.
Cisco IOS Software Release 12.2(13)T and 12.2(15)T introduce support for ESP
through PAT on Cisco routers.
3. Use ESP tunnel mode rather than transport mode. Tunnel mode can resolve
issues with IKE identifiers and TCP/UDP checksums.
4. Use ESP rather than AH. Remember that AH is incompatible with NAT/PAT.
5. Use IPsec NAT traversal/transparency. This feature allows IPsec devices
to detect NAT/PAT devices during IKE phase 1, and encapsulate IKE/ESP
traffic in UDP (using port 4500). NAT traversal/transparency is a
comprehensive solution, and resolves issues with NAT/PAT devices not
translating ESP packets, resolves issues with TCP/UDP checksums, and
resolves the issue of IPsec peers dropping ISAKMP packets that do not use
UDP port 500.
NAT traversal/transparency is available in Cisco IOS Software Release
12.2(13)T, and is enabled by default.
6. Use keepalives or a dynamic routing protocol to ensure that dynamic
NAT/PAT translation timeouts do not cause IPsec traffic to be dropped
(assuming the keepalive/update interval is less than the NAT/PAT translation
timeout).
Alternatively, use GRE tunnel keepalives (assuming that you have configured
a GRE tunnel to carry multiprotocol and multicast traffic) or ISAKMP
keepalives to ensure that NAT/PAT translations do not time out.
Finally, you could also configure a dynamic routing protocol over a GRE/
IPsec tunnel. Because dynamic routing protocols periodically send keepalives
and/or updates, this ensures that NAT/PAT translations do not time out.
7. Perform NAT before IPsec to allow applications that use embedded IP
addresses to function correctly.
If the IPsec device is placed in front of the NAT device, or NAT is
performed on the IPsec device itself (assuming NAT processing before IPsec),
applications function correctly because NAT is also able to translate
embedded IP addresses.
8. Bypass NAT for user traffic that should be sent over an IPsec tunnel, if
appropriate.
Knowing the issues and solutions described above should allow you to put
together you own scenarios. Googling and digging through CCO for relevant
IOS commands/features should also help.
And if you do need more in-depth info on the above you can find it in
chapter 6 of my latest book, 'Comparing, Designing, and Deploying VPNs'.
HTH,
Mark
CCIE#6280 / CCSI#21051 / JNCIS#121 / etc.
Author:
www.ciscopress.com/title/1587051796
www.ciscopress.com/title/1587051044
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART