zoukankan      html  css  js  c++  java
  • IPSEC的NAT兼容性

    摘自:http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaja/rzajaudpencap.htm

    NAT compatible IPSec with UDP

    UDP encapsulation allows IPSec traffic to pass through a conventional NAT device. Review this topic for more information about what it is and why you should use it for your VPN connections.

    The problem: Conventional NAT breaks VPN

    Network address translation (NAT) allows you to hide your unregistered private IP addresses behind a set of registered IP addresses. This helps to protect your internal network from outside networks. NAT also helps to alleviate the IP address depletion problem, since many private addresses can be represented by a small set of registered addresses.

    Unfortunately, conventional NAT does not work on IPSec packets because when the packet goes through a NAT device, the source address in the packet changes, thereby invalidating the packet. When this happens, the receiving end of the VPN connection discards the packet and the VPN connection negotiations fail.

    The solution: UDP encapsulation

    In a nutshell, UDP encapsulation wraps an IPSec packet inside a new, but duplicate, IP/UDP header. The address in the new IP header gets translated when it goes through the NAT device. Then, when the packet reaches its destination, the receiving end strips off the additional header, leaving the original IPSec packet, which will now pass all other validations.

    You can only apply UDP encapsulation to VPNs that will use IPSec ESP in either tunnel mode or transport mode. In addition, at V5R2, the system can only act as a client for UDP encapsulation. That is, it can only initiate UDP encapsulated traffic.

    The graphics below illustrate the format of a UDP encapsulated ESP packet in tunnel mode:

    Original IPv4 datagram:
    Graphic showing an IPv4 datagram with IP header followed by Payload data
    After applying IPSec ESP in tunnel mode:
    Graphic showing datagram after applying IPSec ESP in tunnel mode.
    After applying UDP Encapsulation:
    Graphic showing datagram after applying UDP Encapsulation.

    The graphics below illustrate the format of a UDP encapsulated ESP packet in transport mode:

    Original IPv4 datagram:
    Graphic showing an IPv4 datagram with IP header followed by Payload data
    After applying IPSec ESP in transport mode:
    Graphic showing datagram after applying IPSec ESP in transport mode.
    After applying UDP Encapsulation:
    Graphic showing datagram after applying UDP Encapsulation.

    After the packet is encapsulated, the system sends the packet to its VPN partner over UDP port 4500. Typically, VPN partners perform IKE negotiations over UDP port 500. However, when IKE detects NAT during key negotiation, subsequent IKE packets are sent over source port 4500, destination port 4500. This also means that port 4500 must be unrestricted in any applicable filter rules. The receiving end of the connection can determine whether the packet is an IKE packet or a UDP encapsulated packet because the first 4 bytes of the UDP payload are set to zero on an IKE packet. For it to work properly, both ends of the connection must support UDP encapsulation.

  • 相关阅读:
    [导入]google的网络U盘
    [导入]下载 Visual Studio 2005 Starter Kits,提高效率!
    TXT文件 是 好多列 组成,其中有一列是 身份证,如何 用EXCEL 打开时,不会变成 科学计数的形式?
    个人所得税2011新计算公式Excel版,及由税款倒推收入额
    ServU虚拟路径映射问题
    Access .mdb数据库 转成 SQLITE数据库
    undefined与null的区别
    从内存的角度来区分基本类型和引用类型的区别
    JAVA类加载和反射介绍
    onConfigurationChanged的作用
  • 原文地址:https://www.cnblogs.com/jjkv3/p/1788557.html
Copyright © 2011-2022 走看看