How NAT-Traversal works in IPsec
In first two packet, it will negotiate NAT-T compatibility
1st Message in Main mode:
2nd Message in main mode:
In 3rd and 4th Message, it will exchange hash of IP address and Port.
3rd Message main mode:
4th Message in main mode
Debug on FGT:
ike 0: comes 10.1.1.20:500->10.1.1.10:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=987e2067d9c61bc0/3954de8f43e2c2c0 len=348
ike 0: in 987E2067D9C61BC03954DE8F43E2C2C004100200000000000000015C0A000104CD2F264257D538BA3EC01D4446EB541E8923
ike 0:VPN:14: responder:main mode get 2nd message...
ike 0:VPN:14: received NAT-D payload type 20
ike 0:VPN:14: received NAT-D payload type 20
ike 0:VPN:14: NAT not detected <<-----------------------
If hash matches, there is no NAT device in between and It continue to use same port 500 for remaining
communication
If there is NAT device in between both peer:==>
3rd message in main mode:
4th message in main mode:
ike 0:VPN:3: received NAT-D payload type 20
ike 0:VPN:3: received NAT-D payload type 20
ike 0:VPN:3: NAT detected: ME
ike 0:VPN:3: NAT-T float port 4500
ike 0:VPN:3: ISAKMP SA d3701b9bc03e3e03/fa02fbc561fe5763 key 8:347A5B142951CC0F
5th Message in main mode:
amazing content!!! This doc has cleared all my doubts regarding NAT TRAVERSAL
ReplyDeleteAwesome content
ReplyDelete