Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

 

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

NAT Traversal tutorial - IPSec over NAT

 

 

NAT-T (NAT Traversal)

Nat Traversal also known as UDP encapsulation allows traffic to get to the specified destination when a device does not have a public address. This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a device that has NAT enabled.


As well as IPSec providing confidentiality, it also provides authenticity and integrity. Now the problem is when a NAT device does it’s NAT translations, the embedded address of the source computer within the IP payload does not match the source address of the IKE packet as it is replaced by the address of the NAT device. This means breaking the authenticity which will cause the packet by the remote peer to be dropped. So when the NAT device alters the packet, it's integrity and authentication will fail.


Also in some cases depending on the level of encryption, the payload and in particular the headers are encrypted when using IPSec ESP mode. The NAT device can not change these encrypted headers to its own addresses, or do anything with them.

The NAT device in the middle breaks the authenticity, integrity and in some cases can not do anything at all with the packet. It is clear NAT and IPSec are incompatible with each other, and to resolve this NAT Traversal was developed. NAT Traversal adds a UDP header which encapsulates the IPSec ESP header. As this new UDP wrapper is NOT encrypted and is treated as just like a normal UDP packet, the NAT device can make the required changes and process the message, which would now circumvent the above problems. Also enabling Nat-Traversal on the gateways resolves the problem with the authenticity and integrity checks as well, as they are now aware of these changes.

During phase 1, if NAT Traversal is used, one or both peer's identify to each other that they are using NAT Traversal, then the IKE negotiations switch to using UDP port 4500. After this the data is sent and handled using IPSec over UDP, which is effectively NAT Traversal. The receiving peer first unwraps the IPSec packet from its UDP wrapper (the NAT Traversal part that occurred at the sending peer end) and then processes the traffic as a standard IPSec packet.

Three ports in particular must be open on the device that is doing NAT for your VPN to work correctly. These are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP).

However the ultimate fix to this is to use a public IP address on your firewall’s external interface. This is also the recommended method, and will eliminate the use of NAT-T.

Further Reading

Wikipedia's guide to NAT-T