From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Thu May 24 2007 - 06:00:28 ART
Hello All,
This is my first post for the group. It looks like there is some confusion
going on regarding NAT Traversal. Here is an explanation as per my
understanding due to my 22 month experience working as a Cisco TAC engineer
for the VPN team :
UDP 500 is what is used for IKE phase 1 negotiation. Lets assume that we're
trying to build a Lan to Lan tunnel between 2 Cisco Devices and we have a
Nat device sitting in line somewhere in between. Now when the negotiation
begins the receiving end peer verifies if the IP address mentioned in the
packet is same as the source IP of the packet received. Which obviously
will be different in case the packet was Natted along the Path. So untill
this NAT broke IPsec functionality and thats where NAT T comes in to
picture.
If both devices are configured to use NAT T. then they choose to use NAT T.
Now NAT T simply encapsulate their packets with another UDP header which is
destined for port 4500. This helps coz now when the encapsulated packet goes
through the NAT device the source IP of the outer encapsulation changes to
the NAT IP, whereas the source IP of the actual packet is still the same IP
thus when the receiving end verifies the IP mentioned in the content of the
packet with the source of packet it will match this time.
The receiving end knows coz both ends had negotiated to use NAT T and thus
when it receives the packet it decapsulates the outer header of the packet
to retrieve the original packet. This way the exchanges occur without
breaking the IPsec functionality.
Please feel free to ask any questions or doubts you may have. Also if you
have anything to add to this.
Pankaj
CCIE Security (Written)
Now will start preparing for LAB.
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:22 ART