{"id":441,"date":"2011-10-09T03:15:36","date_gmt":"2011-10-09T02:15:36","guid":{"rendered":"http:\/\/www.balajibandi.com\/?p=441"},"modified":"2024-02-04T20:01:52","modified_gmt":"2024-02-04T20:01:52","slug":"how-does-nat-t-work-with-ipsec","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=441","title":{"rendered":"How Does NAT-T work with IPSec"},"content":{"rendered":"<p>ESP\u00a0 encrypts all critical information, encapsulating the entire inner TCP\/UDP datagram within an ESP header. ESP is an IP protocol in the same sense\u00a0 that TCP and UDP are IP protocols (OSI Network Layer 3), but it does not\u00a0 have any port\u00a0 information like TCP\/UDP (OSI Transport Layer 4).\u00a0 This is a difference from\u00a0 ISAKMP which uses UDP port 500 as its transport layer.<\/p>\n<p><strong>How does NAT-T work with ISAKMP\/IPsec?<\/strong><\/p>\n<p>NAT Traversal performs two tasks:<\/p>\n<ol>\n<li>Detects if both ends support NAT-T<\/li>\n<li>Detects NAT devices along the transmission path (NAT-Discovery)<\/li>\n<\/ol>\n<p>Step one occurs in ISAKMP Main Mode messages one and two.\u00a0 If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four.\u00a0 THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don&#8217;t match a NAT device exists.<\/p>\n<p>If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport\u00a0with ISAKMP Main Mode messages five and six, at which point all\u00a0ISAKMP packets change from UDP port 500 to UDP port 4500.\u00a0 NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.\u00a0 After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for translation.<\/p>\n<p>To visualize how this works and how the IP packet is encapsulated:<\/p>\n<ol>\n<li>Clear text packet will be encrypted\/encapsulated inside an ESP packet<\/li>\n<li>ESP packet will be encapsulated inside a UDP\/4500 packet.<\/li>\n<\/ol>\n<p>NAT-T\u00a0 encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500.\u00a0 After this encapsulation there is enough information for the PAT database binding to build successfully.\u00a0 Now ESP packets can be translated through a PAT device.<\/p>\n<p>When a packet with source and destination port of 4500 is sent through a PAT device (from inside to outside), the PAT device will change the source port from 4500 to a random high port, while keeping the destination port of 4500. When a different NAT-T session passes through the PAT device, it will change the source port from 4500 to a different random high port, and so on. This way each local host has a unique database entry in the PAT devices mapping its RFC1918 ip address\/port4500 to the public ip address\/high-port.<\/p>\n<p>&nbsp;<\/p>\n<p id=\"ajwfxfs\"><img loading=\"lazy\" decoding=\"async\" width=\"655\" height=\"565\" class=\"alignnone size-full wp-image-442 \" src=\"http:\/\/www.balajibandi.com\/wp-content\/uploads\/2017\/07\/img_5961f4d7243af.png\" alt=\"\" srcset=\"https:\/\/www.balajibandi.com\/wp-content\/uploads\/2017\/07\/img_5961f4d7243af.png 655w, https:\/\/www.balajibandi.com\/wp-content\/uploads\/2017\/07\/img_5961f4d7243af-300x259.png 300w\" sizes=\"auto, (max-width: 655px) 100vw, 655px\" \/><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESP\u00a0 encrypts all critical information, encapsulating the entire inner TCP\/UDP datagram within an ESP header. ESP is an IP protocol in the same sense\u00a0 that TCP and UDP are IP protocols (OSI Network Layer 3), but it does not\u00a0 have any port\u00a0 information like TCP\/UDP (OSI Transport Layer 4).\u00a0 This is a difference from\u00a0 ISAKMP [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-441","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=441"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/441\/revisions"}],"predecessor-version":[{"id":2075,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/441\/revisions\/2075"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}