Re: ISAKMP and NAT

franzin · ‎06-27-2002

I've configure a PIX using IPsec (ESP-DES) and ISAKMP with a Nortel

Contivity device.

Between the equipments a router configured with NAT (Cisco 3620)

translates only addresses through a static one-to-one nat rule.

It works fine, but I need answer to one main question:

How it works if the ISAKMP protocol specifies that the "cookie" that

must be created to exchange data for the SA is dependent from the source

address, destinantion address and port numbers carried by the

packet?

I need this answer to prove that no relaxing of the protocol was

develop to achieve this feature and the NAT isn't creating a lack of

security.

paqiu · ‎06-29-2002

The ISAKMP negotiation can based on ip address, host name , digital certificates or DNS name depending on what your configuration in the router.

I assume that you are using pre-shared key , using ip address as the isakmp identity. So you need match both peers same share key, each other' ip address, hash algorithem "MD5 or SHA", encryption "3DES or DES".

If all of them matching each other, then the ISAKMP exchange will be fine, then it will goto phase 2 IPSEC negotiation.

Even you are doing NAT, that means only one peer' ip address has been nattated, it still need match all the rest stuff ,preshare-key, hash and encryption.

For this reason, NAT will not create a lack of security. Even someone can spoof your VPN peer's ip address, he still need to know a lot of other configuration to creat a VPN tunnel to another peer.

Details please see:

http://www.cisco.com/warp/public/cc/techno/protocol/ipsecur/ipsec/prodlit/dplip_in.htm