Friday, 5 April 2013

Site to Site IOS IPsec Tunnel - Part II NAT-T

ESP  encrypts all critical information, encapsulating the entire inner TCP/UDP datagram within an ESP header. ESP is an IP protocol in the same sense  that TCP and UDP are IP protocols (OSI Network Layer 3), but it does not  have any port  information like TCP/UDP (OSI Transport Layer 4).  This is a difference from  ISAKMP which uses UDP port 500 as its transport layer.

Because ESP is a protocol without ports, traffic encapsulated with ESP can not pass through PAT devices.

NAT Traversal performs two tasks:

  • Detects if both ends support NAT-T 
  • Detects NAT devices along the transmission path (NAT-Discovery)
Step one occurs in ISAKMP Main Mode messages one and two.  If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four.  THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists.  

If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages five and six, at which point all ISAKMP packets change from UDP port 500 to UDP port 4500.  NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.  After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for translation

To visualize how this works and how the IP packet is encapsulated:
  • Clear text packet will be encrypted/encapsulated inside an ESP packet
  • ESP packet will be encapsulated inside a UDP/4500 packet.
Scenario:

  • ISAKMP configuration
    • R1
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key CISCO address 172.20.1.5
    • R2
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
  • IPsec configuration
    • R1
ip access-list extended SITE1_TO_SITE2
 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 

 crypto map VPN_SITE_TO_SITE 10 ipsec-isakmp
 set peer 172.20.1.5
 set transform-set 3DES_MD5
 match address SITE1_TO_SITE2
 crypto map VPN_SITE_TO_SITE
    • R2
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 

crypto dynamic-map NAT_T_MAP 10
 set transform-set 3DES_MD5 

crypto map VPN_SITE_TO_SITE 10 ipsec-isakmp dynamic NAT_T_MAP 
  • ASA configuration
access-list TRAFIC_IN extended permit udp any any eq isakmp
access-list TRAFIC_IN extended permit udp any any eq 4500
access-group TRAFIC_IN in interface outside
Verification:

R2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1007  172.20.1.5      172.20.1.6               ACTIVE 3des md5  psk  1  23:49:30 N  
       Engine-id:Conn-id =  SW:7

R2#show crypto dynamic-map
Crypto Map Template"NAT_T_MAP" 10
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}

R2#show crypto ipsec sa detail
interface: FastEthernet1/0
    Crypto map tag: VPN_SITE_TO_SITE, local addr 172.20.1.5
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 172.20.1.6 port 4500
     PERMIT, flags={}
    #pkts encaps: 715, #pkts encrypt: 715, #pkts digest: 715
    #pkts decaps: 715, #pkts decrypt: 715, #pkts verify: 715
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: 172.20.1.5, remote crypto endpt.: 172.20.1.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x810D44F8(2165130488)

ciscoasa# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static INSIDE interface
    translate_hits = 4, untranslate_hits = 9
    Source - Origin: 172.20.1.0/30, Translated: 172.20.1.6/30


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)