Nat Traversal; The Esp Protocol - D-Link NetDefend DFL-210 User Manual
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
9.3.5. NAT Traversal
AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC
is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the
original IP packet, making sure the data has not been tampered with on its way through the Internet.
Apart from the IP packet data, AH also authenticates parts of the IP header.
The AH protocol inserts an AH header after the original IP header. In tunnel mode, the AH header is
inserted after the outer header, but before the original, inner IP header.
ESP (Encapsulating Security Payload)
The ESP protocol inserts an ESP header after the original IP header, in tunnel mode, the ESP header
is inserted after the outer header, but before the original, inner IP header.
All data after the ESP header is encrypted and/or authenticated. The difference from AH is that ESP
also provides encryption of the IP packet. The authentication phase also differs in that ESP only
authenticates the data after the ESP header; thus the outer IP header is left unprotected.
The ESP protocol is used for both encryption and authentication of the IP packet. It can also be used
to do either encryption only, or authentication only.
Figure 9.2. The ESP protocol
9.3.5. NAT Traversal
Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not
designed to work through NATs and because of this, a technique called "NAT traversal" has
evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function
when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE.
NAT traversal is divided into two parts:
•
Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the
specific versions supported. NetDefendOS supports the RFC3947 standard for NAT-Traversal
with IKE.
•
Changes to the ESP encapsulation. If NAT traversal is used, ESP is encapsulated in UDP, which
allows for more flexible NATing.
Below is a more detailed description of the changes made to the IKE and IPsec protocols.
NAT traversal is only used if both ends have support for it. For this purpose, NAT traversal aware
VPNs send out a special "vendor ID" to tell the other end of the tunnel that it understands NAT
traversal, and which specific versions of the draft it supports.
359
Chapter 9. VPN
Advertisement
Table of Contents
Troubleshooting
