NAT-T in IKE RFC 3947

NAT-T (NAT Traversal):

Why we need NAT-T?:

If the IPSec peer are behind some NAT device then the NAT device will not be able to do NAT because ESP packet doesnot have any L4 port so with the help of NAT-T we detect if there is any NAT device in between and if there is one then we encapsulate the ESP with UDP.

The ISAKMP phase 1 message 1 and message 2 are used to determine the NAT-T capability of the remote host. Host sends vendor ID payload to determine NAT-T is supported or not.


NAT-D (NAT- Detection):

NAT-D is used to find out if NAT is happening or not and also it find out which device is behind the NAT device. The location of device is important as the device which is behind the NAT device have to initiate keepalives.

For NAT-D devices creates hash of source ip and destination ip, source port and destintion port and send the hash to each other both device will calculate the hash and if the calculated hash and received hash matches then it means that there is not NAT device in between otherwise there is a NAT device.

NAT-D payload are send in 3,4 message of main mode. 2, 3 Message of aggressive mode.

| Next Payload  | RESERVED      | Payload length                |
~                 HASH of the address and port                  ~

Hash is calculated bassed on following formula:
HASH = HASH(CKY-I | CKY-R | IP | Port)


The device which is behind the NAT device will send the keepalive. The keepalives are send just to keep the NAT entry alive in the NAT device.

Once NAT is detected then the source port and destination port of the traffic is changed to udp port 4500. In main mode message 5,6 will be udp 4500. In aggressive mode message 3 onwards port will be changed to udp 4500.

This entry was posted in Protocol and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s