Nat Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a device that has NAT enabled.
The NAT device in the middle breaks the authenticity, integrity and in some cases cannot do anything at all with the packet. It is clear NAT and IPsec are incompatible with each other, and to resolve this issue, NAT Traversal was developed. NAT Traversal adds a UDP header which encapsulates the IPsec ESP header. As this new UDP wrapper is NOT encrypted and is treated just like a normal UDP packet, the NAT device can make the required changes and process the message, which would now circumvent the problems explained above. Additionally, enabling NAT-Traversal on the gateway devices resolves the problem with the authenticity and integrity checks, as they are now aware of these changes. To explain things a bit further, during phase 1 negotiation of an IPsec VPN connection, if NAT Traversal is used one or both VPN peer devices identify to each other that they are using NAT Traversal, and it is then when the IKE negotiations switch to using UDP port 4500 to support it. After this the data is sent and handled using IPsec over UDP, which is effectively NAT Traversal. The receiving peer first unwraps the IPsec packet from its UDP wrapper (the NAT Traversal part that occurred at the sending peer end) and then processes the traffic as a standard IPsec packet. IPsec NAT Traversal Ports Three ports in particular must be open on the device that is performing NAT for the VPN to work correctly. These ports are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP). The ultimate fix to NAT-Traversal is to use a public IP address on the firewall’s external interface. This is also the recommended method, and will eliminate the use and need of NAT-Traversal.
Further Reading Wikipedia's guide to NAT-T
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
As shown in Figure1, the Fortinet firewall at the branch has no public IP addresses, uses HUAWEI firewall_B as the NAT device for address translation, obtains a public IP address, and establishes an IPSec tunnel with HUAWEI firewall_A at the headquarters. HUAWEI firewall_B provides only the source address translation function, implementing access only in the direction from the branch to the headquarters. Therefore, only the branch can proactively establish an IPSec tunnel with the headquarters, but not the other way around. Figure 2-10 Establishing an IPSec tunnel in a NAT traversal scenario
HUAWEI Firewall_A Configuration Files # sysname HUAWEI_A # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/3 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer fortigate exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 remote-address authentication-address 10.10.10.2 nat traversal # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer fortigate proposal tran1 security acl 3000 # returnHUAWEI Firewall_B Configuration Files # sysname HUAWEI_B # interface GigabitEthernet 0/0/1 ip address 2.2.2.2 255.255.255.0 # interface GigabitEthernet 0/0/2 ip address 10.10.10.3 255.255.255.0 # firewall zone untrust add interface GigabitEthernet 0/0/1 # firewall zone trust add interface GigabitEthernet 0/0/2 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 1.1.1.0 24 destination-address 10.10.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.10.10.0 24 destination-address 1.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.10.10.0 24 action nat easy-ip # ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 ip route-static 192.168.0.0 255.255.255.0 10.10.10.2 # return
This Document Applies to these Products |