Apply Crypto Map Sets To Interfaces; Monitor And Maintain Ipsec Tunnels; Network Address Translation In Ipsec - Motorola WS5100 Series Migration Giude

3.4.8 Apply Crypto Map Sets to Interfaces

You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the
crypto map set to an interface instructs the switch to evaluate all the interface's traffic against the crypto
map set and to use the specified policy during connection or security association negotiation on behalf of
traffic to be protected by crypto (either CET or IPSec).

3.4.9 Monitor and Maintain IPSec Tunnels

New configuration changes will only take effect when negotiating subsequent security associations. If you
want the new settings to take immediate effect, you must clear the existing security associations so that
they will be re-established with the changed configuration.
For manually established security associations, you must clear and reinitialize the security associations or
the changes will never take effect.

3.4.10 Network Address Translation in IPSec

NAT is most often used to convert private address into routable public addresses. With static NAT each
private address maps to one public address. In a dynamic/hide NAT both IP address and Port are mapped,
allowing many privately addressed hosts to share one public IP address. Check sums must be recomputed
and embedded IP addresses carried in application protocols like FTP may be translated. There is a problem
when NAT is applied before IPSec.
• The IPSec Authentication Header protects entire IP packets including IP headers, against modification in
transit. NAT will modify the IP header so inherently NAT is incompatible with AH.
• The IPSec Encapsulating Security Payload (ESP) usually encrypts IP packets. NAT modifies TCP and UDP
ports, but clearly can't do so when the packet is encrypted. Hence NAT is incompatible with ESP.
The solution to over come this problem is UDP encapsulation. In this approach the IPSec packet is
encapsulated in an UDP/IP header which lets NAT do their thing. This works for IPSec ESP. ESP encapsulated
packets are exchanged between IKE peers. The peers must support the same method of UDP ESP
encapsulation. IKE peers will exchange a known value to determine whether they both support NAT traversal
(UDP Encapsulation) . if the IKE peers agree, they use IKE probes or discovery payloads to determine whether
NAT is being applied at some point between them. Only when IKE peers agree and NAT is encountered UDP
encapsulation is used.
IKE peers communicate over UDP port 500, UDP encapsulated ESP communicates on the same port. It
ensures that IKE and UDP encapsulated ESP packets are subjected to the same mid-stream address
translation. The sender indicates that an encapsulated packet follows by setting the first 8 bytes of UDP
payload to zero. These bytes overlap the IKE initiator cookie field, for which zero is an invalid value. Thus,
implementations can use these bytes to discriminate between the IKE and UDP-encapsulated ESP arriving
on port 500. Because only peers that agree will ever send UDP-encapsulated ESP packets.
In hide NAT private IP address and source port are temporarily bound to a shared public IP address and a used
port. A timeout dissolves this binding after seconds or minutes of inactivity, enabling hide NAT pool reuse.
IPSec VPN's protect traffic exchanged between mutually authenticated endpoints. For NAT traversal to work,
end points cannot be dynamically remapped mid-session. To preserve dynamic NAT bindings for the life of
an IPSec session, a one byte UDP "keepalive" may be used.
3-25
Use Cases