How does IKE work through a firewall - with NO NAT-T ?

Unanswered Question
Sep 3rd, 2010
User Badges:

Hi,


this is a question about the fundamental operation of IKE. I have searched the web, but have struggled to find good quality documentation (inc the RFCs).


I have a fully working site-to-site VPN between an ASA and an 1800 series router. In between the 2 devices is a checkpoint firewall which is performing NAT on ASA VPN endpoint address (from a private 10.x.x.x to an Internet address). The 1800 is configured with an Internet address and has no firewall between it and the Internet (I should say this is a test setup so there is little behind the 1800).


Both devices have NAT-T DISABLED  (no crypto ipsec nat-transparency udp-encaps).


As I say, this setup works fine, but in packets 5 & 6 of IKE why does the 1800 not complain about ID of the ASA (i.e. 10.x.x.x) being different from the peer address (the Internet address introduced by checkpoint NAT)?


My understanding is that this should fail peer authentication, but I'm obviously wrong. Either this check is not performed as part of peer authentication or the 2 devices are overcoming the NAT issue in some way beyond my understanding.


Any suggestions, or links to 'good' documentation would be appreciated.


Thanks,

Andy.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Federico Coto F... Fri, 09/03/2010 - 07:26
User Badges:
  • Green, 3000 points or more

Hi Andy,


Just to understand something.. you mentioned there's a Checkpoint Firewall doing NAT for the private IP of the ASA.


In order to establish the VPN tunnel between the ASA and the router (if going through the internet), the router should have set its peer to the NATed IP of the ASA.

In other words, the router cannot set its peer to the real private IP of the ASA because can't reach it through the internet.


If this is not the case please clarify.


Federico.

Andrew Ward Mon, 09/06/2010 - 02:01
User Badges:

Federico,


yes that is correct. The peer setup on the router is the NAT address applied by the checkpoint (static NAT).


Thanks, Andy.

praprama Fri, 09/03/2010 - 08:33
User Badges:
  • Cisco Employee,

Hi Andy,


Well based on your description of the behavior, since the VPN is coming up fine, i assume that you are using ESP and that the ASA's IP address is statically NATed to a public IP address on the checkpoint firewall.


I am saying this because if you were using AH for IPsec, this would not work as in AH the entire payload is HASHed and added as an authenticator at the end of the payload. So if the IP address is modified by an intermediate NAT device, this HASH value will not match at the end and it will not work. So AH will not work.


Now regarding the identity not matching for messages 5 and 6 of IKE phase 1, yes it is true that it will not match but when working with Cisco devices, they do not peform a strict check of those and just pop up a warning at the max about the mismatch. Now, if you were using some 3rd party devices (for example, in place of the 1800, if there was a checkpoint as i havre seen this happening for a fact), if they implement a strict check of the ISAKMP identities, the VPN tunnel phails with an error regarding Invalid ID or mismatched ID.


Unfortunately, I do not have a document about the same.  But i am saying the above based on my experience and what i have seen happening in defferent scenarios.


Hope this helps!!


Thanks and Regards,

Prapanch

Andrew Ward Mon, 09/06/2010 - 02:12
User Badges:

Prapanch,


thanks for the reply. Yes your assumption is correct. Static NAT on the checkpoint and ESP.


So with ESP the ID field does not influence the hash and so is not verified by the hashing mechanism? Is there then an 'optional' separate check of the ID field against the peer address?


And following on from this question - would such ID checking be bi-directional? The reason I ask is that I have seen some VPN devices which have a separate ID field (in their setup GUI) but just for incoming VPN connections, which suggests that they only check the ID on IKE initiated by the peer.


Regards, Andy.

Actions

This Discussion