UDP Encapsulation
Another problem that NAT traversal resolves is that the ESP protocol is an IP protocol. There is no
port information as we have in TCP and UDP, which makes it impossible to have more than one
NATed client connected to the same remote gateway and at the same time. Because of this, ESP
packets are encapsulated in UDP. ESP-UDP traffic is sent on port 4500, the same port as IKE when
NAT traversal is used. Once the port has been changed, all following IKE communication is done
over port 4500. NAT keep-alive packets are also sent periodically to keep the NAT mapping alive.
NAT Traversal Configuration
Most NAT traversal functionality is completely automatic and in the initiating firewall no special
configuration is needed. However, for responding firewalls two points should be noted:
• On responding firewalls, the Remote Endpoint field is used as a filter on the source IP of
received IKE packets. This should be set to allow the NATed IP address of the initiator.
• When individual pre-shared keys are used with multiple tunnels connecting to one remote
firewall which are then NATed out through the same address, it is important to make sure the
Local ID property of an IPsec Tunnel object is unique for every tunnel and takes one of the
following values:
i. Auto - The local ID becomes the IP address of the outgoing interface. This is the
recommended setting unless the two firewalls have the same external IP address.
ii. IP - A IP address can be manually entered.
iii. DNS - A DNS address can be manually entered.
iv. Email - An email address can be manually entered.
9.3.6. Algorithm Proposal Lists
To agree on the VPN connection parameters, a negotiation process is performed. As a result of
the negotiations, the IKE and IPsec security associations (SAs) are established. A proposal list of
supported algorithms is the starting point for the negotiation. Each entry in the list defines
parameters for a supported algorithm that the VPN tunnel endpoint device is capable of
supporting (the shorter term tunnel endpoint will also be used in this manual). The initial
negotiation attempts to agree on a set of algorithms that the devices at either end of the tunnel
can support.
There are two types of proposal lists, IKE proposal lists and IPsec proposal lists. IKE lists are used
during IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec
Security Negotiation).
Several algorithm proposal lists are already defined by default in NetDefendOS for different VPN
scenarios and user defined lists can be added.
Two IKE algorithm lists and two IPsec lists are already defined by default:
• High
This consists of the following, shorter list of algorithms that provide higher security:
• AES
• SHA256
• SHA512
Chapter 9: VPN
694
To Next Page
Loading...
