UTT Technologies VPN Menu
http://www.uttglobal.com Page 174
Dead Peer Detection (DPD) is a traffic-based method of detecting a dead IKE peer.
DPD allows an endpoint to prove its peer’s liveliness periodically. This can help the
endpoint to avoid a situation where it sends IPSec packets to a peer that is no longer
available (“Martian” host). After DPD is enabled, the endpoint periodically sends DPD
heartbeat messages at the specified time interval (usually 20 seconds or about 1
minute) to the peer to verify its availability. After missing several consecutive heartbeat
messages, the endpoint will renegotiate the SAs with the peer.
13.3.4 IPSec NAT Traversal
Network Address Translation (NAT) is a technology that allows multiple hosts on a
private network to share a single or a small group of public IP addresses. Undoubtedly,
NAT can help conserve the remaining IP address space and provide the benefit of
network security assurance; however, it has introduced problems for end-to-end
protocols like IPSec. NAT is incompatible with IPSec, which is one of the most popular
VPN technologies.
Why doesn’t NAT work with IPSec? One main reason is that NAT devices modify the
IP header of a packet, this causes an AH-protected packet to fail checksum validation,
and they cannot modify the ports in the encrypted TCP header of an ESP-protected
packet. The solution is IPSec NAT Traversal or NAT-T.
The IPSec working group of the IEEE has created standards for NAT-T that are
defined in RFC 3947 (Negotiation of NAT-Traversal in the IKE) and RFC 3948 (UDP
Encapsulation of IPsec ESP Packets). IPSec NAT-T is designed to solve the problems
inherent in using IPSec with NAT.
During IKE phase 1 negotiation, the two IPSec NAT-T-capable endpoints can
automatically determine:
Whether both of the IPSec endpoints can perform IPSec NAT-T.
If there are any NAT devices along the path between them.
If both of these two conditions are true, the two endpoints will automatically use IPSec
NAT-T to send IPSec-protected packets. If either endpoint doesn’t support IPSec
NAT-T, they will perform normal IPSec negotiations (beyond the first two messages)
and IPSec protection. If both endpoints support IPSec NAT-T, but there is no NAT
device between them, they will perform normal IPSec protection.
Note: IPSec NAT-T is only defined for ESP traffic. AH traffic cannot traverse NAT
devices, therefore, do not use AH if any
NAT device is present on your network.
The Device supports IPSec NAT-T feature. With NAT-T, the Device will add a UDP
header to the ESP-protected packets after detecting one of more NAT devices along
the data path during IKE phase 1 negotiation. This new UDP header sits between the
ESP header and the outer IP header, and usually uses UDP port 4500.
To Next Page
Loading...
