Table of Contents
Advertisement
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when the
communicating parties are negotiating authentication (phase 1). However the trade-off is that faster
speed limits its negotiating power and it also does not provide identity protection. It is useful in remote
access situations where the address of the initiator is not know by the responder and both parties
want to use pre-shared key authentication.
10.9.5 IPsec and NAT
Read this section if you are running IPsec on a host computer behind the SBG.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPsec VPN using the AH
protocol digitally signs the outbound packet, both data payload and headers, with a hash value
appended to the packet. When using AH protocol, packet contents (the data payload) are not
encrypted.
A NAT device in between the IPsec endpoints will rewrite either the source or destination address with
one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming
packet by computing its own hash value, and complain that the hash value appended to the received
packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle,
so it assumes that the data has been maliciously altered.
IPsec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP
packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and
its destination address is the inbound address of the VPN device at the receiving end. When using ESP
protocol with authentication, the packet contents (in this case, the entire original packet) are
encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended
to the packet.
Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed
over the combination of the "original header plus original payload," which is unchanged by a NAT
device.
Transport mode ESP with authentication is not compatible with NAT.
Table 81 VPN and NAT
SECURITY PROTOCOL
AH
AH
ESP
ESP
10.9.6 VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPsec VPN using the AH
protocol digitally signs the outbound packet, both data payload and headers, with a hash value
appended to the packet, but a NAT device between the IPsec endpoints rewrites the source or
destination address. As a result, the VPN device at the receiving end finds a mismatch between the
hash value and the data and assumes that the data has been maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the SBG's NAT Traversal feature
provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers
between the two IPsec routers.
Chapter 10 VPN
MODE
NAT
Transport
N
Tunnel
N
Transport
N
Tunnel
Y
SBG5500/3310 Series User's Guide
190
Advertisement
Table of Contents
Troubleshooting
