[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about IPSec and NAT

To: <ipsec@lists.tislabs.com>
Subject: Question about IPSec and NAT
From: "BUYCK Jacky FTRD/DMI/CAE" <jacky.buyck@rd.francetelecom.com>
Date: Thu, 6 Feb 2003 17:23:35 +0100
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcLN/BinDjaEHhHwQaGFsd/FA3qQ6A==
Thread-Topic: Question about IPSec and NAT


Hi all.

I'm looking after the problem of using NAT and IPSec and the existing solution (implemented or draft versions). I've found some of the problem regarding IKE/NAT and IPSec/NAT but I've some trouble when I want to check if solution really anwser all problems. I think this come from a not clear understanding of IKE-NAT-T Draft.

Here are my problems :
	- IKE/NAT imply to uses floated port. In the IKE-nat-t draft it is specify to use the UDP 500 port for NAT Detection and after using the port 4500. By passing throught NAT the port 4500 will be transform in port X. Is it this port that will be use in future IPSec exchange ?
	- That ike-nat-t don't appear to solve the problem of multiple IPSec client trying to connect to the same IPSec gateway. I'm true ?
	- If the equipment that perform NAT function don't translate port 500 UDP paquet we still have the problem of traditional IKE with NAT. Did we must always set the default IKE port to other an other value than 500 to prevent NAT problem ? A little bit strange !



For the first point I think that I must have the following exchanges :
It's correct ?

====================================================================================
	A					NAT				B

- NAT Detection Using IKE nat-t --------------------------------------------------------------

SRC(@A,500);D(@B,500)
--------------------->				
								SRC(@N,N1);D(@B,500)
								--------------------->
								SRC(@B,500);D(@N,N1)
								<---------------------		
SRC(@B,500);D(@A,500)
<---------------------

- IKE nat-t conitnuation after nat discovering -----------------------------------------------

SRC(@A,4500);D(@B,4500)
--------------------->
								SRC(@N,X);D(@B,4500)
								--------------------->
								SRC(@B,4500);D(@N,X)
								<---------------------		
SRC(@B,4500);D(@A,4500)
<---------------------


- IPSec exchange ------------------------------------------------------------------------------

IP(@A,@B)-UDP(4500,4500)-ESP
--------------------->
								IP(@N,@B)-UDP(X,4500)-ESP
								--------------------->
								IP(@B,@N)-UDP(4500,X)-ESP
								<---------------------		
IP(@B,@A)-UDP(4500,4500)-ESP
<---------------------


Where IP is the IP Header with IP(SRC Addr, Dest Addr)
And UDP is the UDP header with UDP(SRC Port, DST Port)


The NAT will remain the following information about translation :
During NAT Detection :
	(@A,500) is translate into (@N,N1)

During final IKE negociation and IPSec (according to draft-ietf-ipsec-udp-encaps-06.txt) :
	(@A,4500) is translate into (@N,X)

====================================================================================



Really thanks to you.



Jacky Buyck
R&D Engineer - Intranet Security Services
Tel : +33 2 31 75 93 61
Fax : +33 2 31 75 06 31
France Telecom R&D - DMI/SIR
42 Rue des Coutures - BP 6243 - 14066 Caen Cedex 4 - France

Prev by Date: RE: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
Next by Date: Re: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
Prev by thread: RE: Sensationalism? [was Re: FW: Man in the middle attack against RFC3456.]
Next by thread: dhcp/modecfg summary
Index(es):
- Date
- Thread