NAT relies on port mapping, so in order to allow traversal of a NAT device, NAT-T adds a UDP header with port 4500 to the IPSec traffic when the NAT device is detected. Figure 102 illustrates how the UDP header is injected into the packet as well as the many-to-one to one-to-many mappings. IPSec is an IP protocol and as such does not use ports. In a private network where the entire network is hidden behind a single public IP address, NAT-T for IPSec is used to support the fan-out of multiple IPSec tunnels in the private network. It is not functionality belonging to the NAT device. NAT-T is functionality belonging to IPSec and IKEv2. The 7705 SAR supports NAT-T (Network Address Translation-Traversal) for IKEv2, as described in section 2.23 of RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2).
Any traffic that does not match the tunnel security configuration is dropped. If the traffic passes all security checks, it is decrypted and the customer traffic is routed through the associated VPRN. The incoming IPSec traffic is processed and checked against the tunnel security configuration. On ingress from an untrusted network, all arriving IPSec traffic is routed to the appropriate security gateway as configured on the VPRN service. The encrypted IPSec packet exits the node via an IES or router interface that is configured on an encryption-capable adapter card it gets routed to its destination via a standard FIB lookup. The source IP address of the outer IP header is the local security gateway address, and the destination IP address is the peer security gateway address. The encryption engine encrypts the customer traffic using configurable encryption and authentication protocols, and adds the IPSec tunnel outer IP header. In Figure 99, all ingress customer traffic from the trusted network is aggregated into the private VPRN service, where a VPRN static route directs the traffic into the encryption engine. A public service instance (IES) connects to the public network and a private service instance (VPRN) connects to the private network, which originates the traffic that is to be encrypted (see Figure 99). IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.įor IPSec, the 7705 SAR supports VPRN for the private side of the tunnel and IES for the public side of the tunnel.
0 kommentar(er)
