Analysis of NAT-T [new master] 02/27 Update SLTechnology News&Howtos

Analysis of NAT-T [new master]

2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Nat-t technology is mainly aimed at pat. When IPsec is built on both sides of the firewall and traverses pat devices, there will be problems.

Now let's describe the whole process of establishing IPsec to lead to the problem. As we all know, the process of establishing an ipsec tunnel involves six packets of main mode and three packets of quick mode. When we enable nat-t,

① will first negotiate the ability of nat-t in the two packages of main mode 1 and 2; at this stage, I call it nat-t capability negotiation (for nat-t)

As can be seen here, the operator code (vendor id) 13 represents the technologies that support nat-t here.

① so, how do we know if the firewall can do pat, and how does R1 nat R2 perceive it? at this time, among the four packets of main mode, there will be two hash values in vendor id 13. The raw material of this hash is the address and port number of the source port, and the ip address and port number of the destination port. At this stage, I call it a trial nat.

If the source hash and destination hash sent by the end are the same, the nat is not done, otherwise the nat is done.

① I did the nat here, so the hash value is different. When the ipsec site finds that there is nat, it will change the packet header and insert the udp header package IPsec (ESP). This packet format change starts from main mode's 5pc6 packets to the whole process of data encryption. There is a question here: why should you change the header format when you check that there is nat?

Explanation: when IPsec tunnels perceive the existence of nat, the source port number will not be changed when traversing pat devices, because sometimes ike will not process packets with source port numbers other than 500. then pat devices themselves rely on source port numbers for address reuse. If you do not change the source port number now, there will be problems. So at this point, we need to change the source port number as much as possible to allow the pat device to convert. As shown in the figure above, the udp source and destination port numbers are both 4500 (ipsec-nat-t). After that, all packets are transmitted in udp 4500.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.