Re: [OSL | CCIE_Security] ESP across PAT

Mon, 27 Sep 2010 06:40:32 -0700

Hi all,

Actually, it should work with multiple ESP tunnels and PAT with SPI matching. That is a feature that is introduced in IOS 12.2-something..

Check out:

white paper:

(Search for multiple ESP through PAT)

Feature guide:

I remember this as I was playing around with it once, and I know that at one time, the SPI matching was enabled automatically, I think it was with the 12.4T15 release (a lot of things happend then)

HTH

PJ



On 27 sep 2010, at 15:13, Kingsley Charles wrote:

Hi Tyson
 
I had only one ESP tunnel. Is there any specific reason for it not to work? If ICMP can be PATed then ESP can also be PATed right?
 
 
 
With regards
Kings

On Mon, Sep 27, 2010 at 6:39 PM, Tyson Scott <[email protected]> wrote:

Kingsley,

 

Did you have more than one IPSec session going thru the router?  If it automatically does SPI matching that is new to me but I expect it to not work when you do two ESP tunnels thru the router.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: [email protected]

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com

 

From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles
Sent: Monday, September 27, 2010 7:53 AM
To: [email protected]
Subject: Re: [OSL | CCIE_Security] ESP across PAT

 

Any thoughts?

On Sat, Sep 25, 2010 at 7:24 PM, Kingsley Charles <[email protected]> wrote:

Hi all

 

We all know that NAT/PAT and firewall might break IPSec. We use NAT-T, IPSec over UDP and IPSec over TCP.

 

Some firewall will not inspect ESP traffic hence by wrapping ESP into TCP or UDP would solve the porblem.

 

Another global problem is NAT or PAT in between IPSec peers.

 

AH won't work either with NAT or PAT as it authenticates the whole packet. So for now lets forget about AH.

 

ESP doesn't authenticate the whole header and hence we can make it work across NAT or PAT devices.

 

Without NAT-T, we can still have ESP across NAT devices by having the remote device to have peer configured as the NATed address.

 

The interesting topic is ESP over PAT. The problem is that ESP doesn't have a port number. How does the PAT device translate the ESP and thus it breaks ESP. Here comes NAT-T which wraps ESP into UDP using port 4500 and hence PAT devices can translate those wrapped packets.

 

I was trying ESP over PAT to see how does IOS breaks IPSec. But it did work. It tracks the translation using the ESP SPI number. I didn't have the IPSec

peer and PAT router for "ip nat service" i.e., ESP SPI matching.

 

Which means IOS routers doing PAT doesn't break ESP and is able to handle it.

 

In the same lines, I used to wonder how IOS PAT routers handle ping across. The ICMP echo-request packets also doesn't have port numbers but I see IOS router tracking ICMP requests translations too.

 
 

So when did this change happen in IOS? IOS router doing PAT doesn't break IPSec using ESP.

 

Please share your thoughts

 
 
 
 
 
 

With regards

Kings

 

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com

---

Nefkens Advies

Enk 26

4214 DD Vuren

The Netherlands


Tel: +31 183 634730

Fax: +31 183 690113

Cell: +31 654 323221

Email: [email protected]

Web: http://www.nefkensadvies.nl/


 Think before you print.




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to