Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
1
Replies

Nat Traversal

vikram_anumukonda
Level 3
Level 3

‎07-20-2007 09:22 PM

Hello,

ASA-NATBox-ASA ( ESP IPSEC Tunnel Mode )

If i need to configure an IPSEC Tunnel in the above scenario, with the NATBox doing a one-one translation, IKE will construct IKE Pakcet with UDP 4500 but will UDP Encapsulation be used when actual ESP Packet is constructed for transferring data in case of NAT ( one-one translation )??? as in a one-one NAT scenario only IP addresses are modified and IP checksum is recalculated & TCP/UDP checksums are not recalculated and are encrypted & authenticated by ESP.

ASA-PATBox-ASA ( ESP IPSEC Tunnel Mode )

In this scenario IKE will construct IKE Pakcet with UDP 4500 but will UDP Encapsulation be used when the actual ESP packet is constructed when transferring data in case of PAT ??? as BOTH IP Checksum and TCP/UDP checksums have to be recalculated.

I have gone through the RFC's for NAT , NAT-T and a book on VPN desgin Fundamentals from Cisco Press, but not able to figure out when exactly will NAT-T be used IKE will construct a packet with port UDP 4500 when it detects NAT between the peers with a NAT & PAT box between 2 IPSEC Peers running IPSEC in Tunnel Mode with ESP.

Thanks,

Vikram A

Labels:
0 Helpful
1 Reply 1

gmarogi
Level 5
Level 5

‎07-26-2007 09:18 AM

we have option of using either IPSec_UDP , IPSec_TCP , IPSec only where there is not NAT/PAT or IPSec_T. IPSEC usesIP type 50

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents