What is NAT Traversal in VPN IPsec?

I found this definition about NAT-T interesting and very concise: Nat Traversal also known as UDP encapsulation allows traffic to get to the specified destination when a device does not have a public address. This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a device that has NAT enabled.As well as IPSec providing confidentiality, it also provides authenticity and integrity. Now the problem is when a NAT device does it’s NAT translations, the embedded address of the source computer within the IP payload does not match the source address of the IKE packet as it is replaced by the address of the NAT device. This means breaking the authenticity which will cause the packet by the remote peer to be dropped. So when the NAT device alters the packet, it’s integrity and authentication will fail.Also in some cases depending on the level of encryption, the payload and in particular the headers are encrypted when using IPSec ESP mode. The NAT device can not change these encrypted headers to its own addresses, or do anything with them.The NAT device in the middle breaks the authenticity, integrity and in some cases can not do anything at all with the packet. It is clear NAT and IPSec are incompatible with each other, and to resolve this NAT Traversal was developed. NAT Traversal adds a UDP header which encapsulates the IPSec ESP header. As this new UDP wrapper is NOT encrypted and is treated as just like a normal UDP packet, the NAT device can make the required changes and process the message, which would now circumvent the above problems. Also enabling Nat-Traversal on the gateways resolves the problem with the authenticity and integrity checks as well, as they are now aware of these changes.During phase 1, if NAT Traversal is used, one or both peer’s identify to each other that they are using NAT Traversal, then the IKE negotiations switch to using UDP port 4500. After this the data is sent and handled using IPSec over UDP, which is effectively NAT Traversal. The receiving peer first unwraps the IPSec packet from its UDP wrapper (the NAT Traversal part that occurred at the sending peer end) and then processes the traffic as a standard IPSec packet.Three ports in particular must be open on the device that is doing NAT for your VPN to work correctly. These are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP).

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at ipdemystify.com and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories SecurityLeave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s