zoukankan      html  css  js  c++  java
  • IPSEC的NAT兼容性

    摘自:http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaja/rzajaudpencap.htm

    NAT compatible IPSec with UDP

    UDP encapsulation allows IPSec traffic to pass through a conventional NAT device. Review this topic for more information about what it is and why you should use it for your VPN connections.

    The problem: Conventional NAT breaks VPN

    Network address translation (NAT) allows you to hide your unregistered private IP addresses behind a set of registered IP addresses. This helps to protect your internal network from outside networks. NAT also helps to alleviate the IP address depletion problem, since many private addresses can be represented by a small set of registered addresses.

    Unfortunately, conventional NAT does not work on IPSec packets because when the packet goes through a NAT device, the source address in the packet changes, thereby invalidating the packet. When this happens, the receiving end of the VPN connection discards the packet and the VPN connection negotiations fail.

    The solution: UDP encapsulation

    In a nutshell, UDP encapsulation wraps an IPSec packet inside a new, but duplicate, IP/UDP header. The address in the new IP header gets translated when it goes through the NAT device. Then, when the packet reaches its destination, the receiving end strips off the additional header, leaving the original IPSec packet, which will now pass all other validations.

    You can only apply UDP encapsulation to VPNs that will use IPSec ESP in either tunnel mode or transport mode. In addition, at V5R2, the system can only act as a client for UDP encapsulation. That is, it can only initiate UDP encapsulated traffic.

    The graphics below illustrate the format of a UDP encapsulated ESP packet in tunnel mode:

    Original IPv4 datagram:
    Graphic showing an IPv4 datagram with IP header followed by Payload data
    After applying IPSec ESP in tunnel mode:
    Graphic showing datagram after applying IPSec ESP in tunnel mode.
    After applying UDP Encapsulation:
    Graphic showing datagram after applying UDP Encapsulation.

    The graphics below illustrate the format of a UDP encapsulated ESP packet in transport mode:

    Original IPv4 datagram:
    Graphic showing an IPv4 datagram with IP header followed by Payload data
    After applying IPSec ESP in transport mode:
    Graphic showing datagram after applying IPSec ESP in transport mode.
    After applying UDP Encapsulation:
    Graphic showing datagram after applying UDP Encapsulation.

    After the packet is encapsulated, the system sends the packet to its VPN partner over UDP port 4500. Typically, VPN partners perform IKE negotiations over UDP port 500. However, when IKE detects NAT during key negotiation, subsequent IKE packets are sent over source port 4500, destination port 4500. This also means that port 4500 must be unrestricted in any applicable filter rules. The receiving end of the connection can determine whether the packet is an IKE packet or a UDP encapsulated packet because the first 4 bytes of the UDP payload are set to zero on an IKE packet. For it to work properly, both ends of the connection must support UDP encapsulation.

  • 相关阅读:
    XML解析
    资源管理
    Android中的动态字符串的处理
    消息提示的三种方式
    程序调控和监视(Logcat,Debug)
    选择改变事件OnCheckedChange
    递归和非递归分别实现求n的阶乘
    递归和非递归分别实现strlen
    编写一个函数 reverse_string(char * string)实现:将参数字符串中的字符反向排列 。(递归实现)
    写一个递归函数DigitSum(n),输入一个非负整数,返回组成它的数字之和
  • 原文地址:https://www.cnblogs.com/jjkv3/p/1788557.html
Copyright © 2011-2022 走看看