What is IPsec NAT Traversal? How to configure IPsec NAT Traversal?

IPsec NAT traversal (NAT-T), also known as UDP encapsulation, NAT-T is a technique that allows traffic to get to a specific destination when a device does not have a public IP address. NAT-T makes sure that the IPsec VPN connection is open when traffic is going through the gateways. This usually happens when your ISP is doing NAT, or when the external interface of your firewall is connected to a device that has NAT enabled.

In our topology, we have a NAT device in the middle of the topology that will break the authenticity, and integrity and in some cases cannot do anything at all with the packet. Now we know one thing NAT and IPsec are incompatible with each other, but we have a solution NAT traversal.

NAT Traversal (NAT-T) adds a UDP header and a special payload to the IPsec packet, which makes it look like a normal UDP packet to the NAT device, and the NAT device will make the required changes and process the message.

(in the next blog we see Header information)

Now let's see the configuration

(If you like this blog, please visit our YouTube channel

https://youtu.be/D0t29ZdO09I?si=xlU36M8Pv2gPxRda)

Topology: -

Goal:

configure the topology as per the diagram
assign the IP address to their respective ports
configure a default route on routers 1 and 2 toward router 3
configure a static route on router 3 which is acting as an ISP NAT device
configure ACL extended for interesting traffic
enable crypto ISAKMP
configure crypto ISAKMP policy
configure pre-shared key
configure IPsec transform-set on both sites
configure IPsec security-association lifetime
configure crypto map
apply the crypto map on interfaces
configure IP static NAT on router 3
configure inside and outside NAT on router 3
make sure 192.168.10.1 can reach 192.168.20.1 with IPsec and IP translate to 100.100.100.100

SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#no keepalive
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface serial 4/1
SITE-A-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.20.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip address 192.168.1.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip address 192.168.2.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit

SITE-A-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up

SITE-B-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up

Internet-NAT-Device#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up

SITE-A-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
SITE-A-ROUTER(config)#end

SITE-B-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
SITE-B-ROUTER(config)#end

Internet-NAT-Device(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#ip route 192.168.20.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#end

SITE-A-ROUTER(config)#ip access-list extended important-traffic
SITE-A-ROUTER(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-A-ROUTER(config-ext-nacl)#exit

SITE-A-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

SITE-B-ROUTER(config)#ip access-list extended important-traffic
SITE-B-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-B-ROUTER(config-ext-nacl)#end

SITE-B-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

SITE-A-ROUTER(config)#crypto isakmp enable

SITE-B-ROUTER(config)#crypto isakmp enable

SITE-A-ROUTER(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite

SITE-A-ROUTER(config)#crypto isakmp policy 20
SITE-A-ROUTER(config-isakmp)#authentication pre-share
SITE-A-ROUTER(config-isakmp)#encryption aes 256
SITE-A-ROUTER(config-isakmp)#hash sha
SITE-A-ROUTER(config-isakmp)#group 5
SITE-A-ROUTER(config-isakmp)#lifetime 3600
SITE-A-ROUTER(config-isakmp)#exit

SITE-A-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-B-ROUTER(config)#crypto isakmp policy 20
SITE-B-ROUTER(config-isakmp)#authentication pre-share
SITE-B-ROUTER(config-isakmp)#encryption aes 256
SITE-B-ROUTER(config-isakmp)#hash sha
SITE-B-ROUTER(config-isakmp)#group 5
SITE-B-ROUTER(config-isakmp)#lifetime 3600
SITE-B-ROUTER(config-isakmp)#end

SITE-B-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-A-ROUTER(config)#crypto isakmp key 0 internetworks address 192.168.2.1
SITE-A-ROUTER(config)#end

SITE-A-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetworks

SITE-B-ROUTER(config)#crypto isakm key 0 internetworks address 100.100.100.100

SITE-B-ROUTER(config)#end

as you can see the above command, i have changed the address 192.168.1.1 to 100.100.100.100 on router 2 because the router 1 IP 192.168.1.1 will look different on the other side 100.100.100.100 Also I am going to change peer address in the crypto map only on router 2, so we have to change the address to static NAT address in order to get successful IPsec VPN result.

SITE-B-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetworks

SITE-A-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-A-ROUTER(cfg-crypto-trans)#end

SITE-A-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-B-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-B-ROUTER(cfg-crypto-trans)#end

SITE-B-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-A-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-A-ROUTER(config)#exit

SITE-A-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds

SITE-B-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-B-ROUTER(config)#end

SITE-B-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds

SITE-A-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-A-ROUTER(config-crypto-map)#match address important-traffic
SITE-A-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-A-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-A-ROUTER(config-crypto-map)#exit
SITE-A-ROUTER(config)#end

*Oct 28 12:45:25.923: %CRYPTO-4-IKMP_NO_SA: IKE message from 100.100.100.100 has no SA and is not an initialization offer

SITE-A-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:

SITE-B-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-B-ROUTER(config-crypto-map)#match address important-traffic

SITE-B-ROUTER(config-crypto-map)#set peer 100.100.100.100

SITE-B-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-B-ROUTER(config-crypto-map)#END

SITE-B-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:

SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-A-ROUTER(config-if)#exit

*Oct 28 12:34:30.711: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-A-ROUTER#show crypto map interface serial 4/0
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/0

SITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-B-ROUTER(config-if)#end

*Oct 28 12:35:00.695: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-B-ROUTER#show crypto map interface serial 4/1
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/1

SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/100 ms

SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0xFD7D51CD(4252848589)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 32/62/96 ms

SITE-B-ROUTER#show crypto ipsec sa
interface: Serial4/1
Crypto map tag: CRYPTO-MAP, local addr 192.168.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
current outbound spi: 0x367632C(57107244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

Internet-NAT-Device(config)#ip nat inside source static 192.168.1.1 100.100.100.100

*Oct 28 12:39:58.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip nat inside
Internet-NAT-Device(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip nat outside
Internet-NAT-Device(config-if)#exit

SITE-A-ROUTER#clear crypto isakmp

SITE-A-ROUTER#clear crypto session

SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/60/140 ms

SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 24/60/144 ms

Internet-NAT-Device#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 100.100.100.100:4500 192.168.1.1:4500 192.168.2.1:4500 192.168.2.1:4500

--- 100.100.100.100 192.168.1.1 --- ---

SITE-A-ROUTER#show crypto ipsec sa

interface: Serial4/0

Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer 192.168.2.1 port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 2219, #pkts encrypt: 2219, #pkts digest: 2219

#pkts decaps: 2219, #pkts decrypt: 2219, #pkts verify: 2219

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0

current outbound spi: 0x3BD9F3C0(1004139456)

PFS (Y/N): N, DH group: none

MPLS

What is IPsec NAT Traversal? How to configure IPsec NAT Traversal?

(If you like this blog, please visit our YouTube channel

https://youtu.be/D0t29ZdO09I?si=xlU36M8Pv2gPxRda)

0 comments:

Labels

Pages

Popular Posts

Follow us on Facebook

Featured post

What is FLEXVPN? How to configure FLEXVPN?

Labels

About me

Pages

Popular Posts

subscribe