Nat Traversal - D-Link NetDefend DFL-210 User Manual

9.2.1. IPsec Basics

9.2.1.5. NAT Traversal

Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not
designed to work through NATs and because of this, a technique called "NAT traversal" has
evolved. NAT traversal is an add-on to the IKE and IPsec protocols that allows them to function
when being NATed. NetDefendOS supports the RFC3947 standard for NAT-Traversal with IKE.
NAT traversal is divided into two parts:
• Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the
specific versions supported. NetDefendOS supports the RFC3947 standard for NAT-Traversal
with IKE.
• Changes to the ESP encapsulation. If NAT traversal is used, ESP is encapsulated in UDP, which
allows for more flexible NATing.
Below is a more detailed description of the changes made to the IKE and IPsec protocols.
NAT traversal is only used if both ends has support for it. For this purpose, NAT traversal aware
VPNs send out a special "vendor ID", telling the other end that it understand NAT traversal, and
which specific versions of the draft it supports.
NAT detection: Both IPsec peers send hashes of their own IP addresses along with the source UDP
port used in the IKE negotiations. This information is used to see whether the IP address and source
port each peer uses is the same as what the other peer sees. If the source address and port have not
changed, then the traffic has not been NATed along the way, and NAT traversal is not necessary. If
the source address and/or port has changed, then the traffic has been NATed, and NAT traversal is
used.
Once the IPsec peers have decided that NAT traversal is necessary, the IKE negotiation is moved
away from UDP port 500 to port 4500. This is necessary since certain NAT devices treat UDP pack-
et to port 500 differently from other UDP packets in an effort to work around the NAT problems
with IKE. The problem is that this special handling of IKE packets may in fact break the IKE nego-
tiations,which is why the UDP port used by IKE has changed.
Another problem NAT traversal resolves is that the ESP protocol is an IP protocol. There is no port
information like in TCP and UDP, which makes it impossible to have more than one NATed client
connected to the same remote gateway and the same time. Because of this, ESP packets are encapsu-
lated in UDP. The ESP-UDP traffic is sent on port 4500, the same port as IKE when NAT traversal
is used. Once the port has been changed all following IKE communications are done over port 4500.
Keepalive packets are also being sent periodically to keep the NAT mapping alive.
NAT Traversal Configuration
Most NAT traversal functionality is completely automatic and in the initiating firewall no special
configuration is needed. However for responding firewalls two points should be noted:
• On responding firewalls, the Remote Gateway field is used as a filter on the source IP of re-
ceived IKE packets. This should be set to allow the NATed IP address of the initiator.
• When individual pre-shared keys are used with multiple tunnels connecting to one remote fire-
wall which are then NATed out through the same address, it is important to make sure the Local
ID is unique for every tunnel. The Local ID can be one of
• Auto - The local ID is taken as the IP address of the outgoing interface. This is the recom-
mended setting unless, in an unlikely event, the two firewalls have the same external IP ad-
dress.
• IP - An IP address can be manually entered
Chapter 9. Virtual Private Networks
191