Introduction
NAT-Traversal is one of the most interesting topic in IPsec VPN. Today let us understand it in detail.
As we know that in IPsec, the IKE (Internet Key Exchange) protocol operates over UDP port 500. Below is the picture of Wireshark log. Please pay attention to the highlighted area
IKE Init Request
In above picture, the highlighted packet is the first packet of ISAKMP. The initiator sends the first packet called IKE_SA INIT Request to the responder. This packet is send over UDP port 500. The source and destination port is set to port 500. When the responder receives that packet, It replies back with packet called “IKE_SA INIT Response” on UDP port 500. Below is the Wireshark log of second packet.
IKE Init Response
In main mode, the 3rd & 4th packet contains the NAT-D payloads. While in Aggressive Mode the NAT-D payload is part of second and third payload.
As we can see in above Wireshark logs, The 3rd packet contains the source and destination port as 500. We can also see that the payload contains the NAT-D payload. Now let us understand what NAT-D payload is.
Here, the sender uses the negotiated HASH algorithm. The CKY-I and CKY-R in the above picture are the initiator and responder cookies. They are added to the hash to make precomputation attacks for the IP address and port impossible.
The sender will send at least 2 NAT-D payload.
- The first NAT-D payload contains the remote end’s IP address and port (i.e., the destination address of the UDP packet).
- If the sender of the packet does not know his own IP address (in case of multiple interfaces, and the implementation does not know which IP address is used to route the packet out), the sender can include multiple local hashes to the packet (as separate NAT-D payloads).
I hope by now you have understood the NAT-D payload. But now the question is why do we include the NAT-D payload? Let us understand it…
NAT Detection
The receiver will calculate the hash and will compare it with the NAT-D payload. If the calculated hash of source IP address & port matches, then it means the source IP address & port of the packet has not got changed.
But if the calculated hash does not match then it means that the IP address and/or the port number have been changed. Usually, this is done by any intermediate NAT device i.e. if the source is behind the NAT then the NAT device will change the source IP address and port. By using this logic, the receiver come to know if the other end is behind the NAT or not.
For an initiator behind a NAT, switching to port 4500 promptly after detecting the NAT is crucial to minimize the potential problems.
In Main Mode, if a NAT is detected, the initiator must switch to port 4500 when sending the ID payload. Both the UDP source and destination ports should be set to 4500, and all subsequent packets to this peer, including notifications, must also use port 4500.
If there is only one IPsec host is behind the NAT then they will keep on using port 4500.
But if there are more than one host behind NAT then NAT device need to take some steps so that it will be able to identify which packet is for which device. Below is the changes that the NAT will do
- for the first host, it will keep on using port 4500
- For later host, it will change the source port number in the packet. The receiver should be aware of this and it should reply to this new port only.
This means that when the original responder is doing rekeying or sending notifications to the original initiator, it MUST send the packets using the same set of port and IP numbers used when the IKE SA was last used.
Summary:
In IKE_SA Init Request packet, the initiator will declare the support of NAT-Traversal as shown in below picture.
In IKE_SA Init response packet, the responder will declare the support of NAT-Traversal as shown below.
In IKE_SA Auth request, the initiator will add NAT-D payload. If there is no NAT device then the communication will keep on port 500. If the device is behind NAT, then the communication will switch to port 4500.
- If there are multiple hosts behind the NAT, then the NAT device will change the source port in the packet. The receiver will respond to the new port.
Below is the example of presense of NAT device as the ports are changes to 4500
