Ike Integrity & Authentication - D-Link DFL-1600 User Manual

22.1. IPsec 219
address and source port each peer uses is the same as what the other peer
sees. If the source address and port have not changed, then the traffic has
not been NATed along the way, and NAT traversal is not necessary. If the
source address and/or port has changed, then the traffic has been NATed,
and NAT traversal is used.
Once the IPsec peers have decided that NAT traversal is necessary, the IKE
negotiation is moved away from UDP port 500 to port 4500. This is
necessary since certain NAT devices treat UDP packet to port 500
differently from other UDP packets in an effort to work around the NAT
problems with IKE. The problem is that this special handling of IKE
packets may in fact break the IKE negotiations, which is why the UDP
port used by IKE has changed.
Another problem NAT traversal resolves is regarding the ESP protocol.
ESP protocol is an IP protocol and there is no port information like in
TCP and UDP, which makes it impossible to have more than one NATed
client connected to the same remote gateway at the same time. To solve
this problem, ESP packets are encapsulated into UDP. The ESP-UDP
traffic is sent on port 4500, the same port as IKE when NAT traversal is
used. Once the port has been changed, all following IKE communications
are done over port 4500. Keep-alive packets are also being sent periodically
to keep the NAT mapping alive.
22.1.4 IKE Integrity & Authentication
In the IKE negotiation phase, the authentication to the communicating
endpoints is carried out before any actual data transfer, and the integrity of
the negotiated message must be secured by sound mathematical algorithms.
D-Link VPNs embed various methods for achieving these critical tasks, i.e.,
hash functions for message integrity, pre-shared keys and X.509 certificates
based on asymmetric encryption algorithms (i.e. RSA, DSA ) for verifying
identities.
D-Link Firewalls User's Guide