Configuring IP security to work with NAT

Edit online

In order to use NAT in IP Security, you must set the ENABLE_IPSEC_NAT_TRAVERSAL variable in the /etc/isakmpd.conf file. When this variable is set, filter rules are added to send and receive traffic on port 4500.

The following example shows the filter rules when the ENABLE_IPSEC_NAT_TRAVERSAL variable is set.

Dynamic rule 2:
Rule action         : permit
Source Address      : 0.0.0.0 (any)
Source Mask         : 0.0.0.0 (any)
Destination Address : 0.0.0.0 (any)
Destination Mask    : 0.0.0.0 (any)
Source Routing      : no
Protocol            : udp
Source Port         : 0 (any)
Destination Port    : 4500
Scope               : local
Direction           : inbound
Fragment control    : all packets
Tunnel ID number    : 0

Dynamic rule 3:
Rule action         : permit
Source Address      : 0.0.0.0 (any)
Source Mask         : 0.0.0.0 (any)
Destination Address : 0.0.0.0 (any)
Destination Mask    : 0.0.0.0 (any)
Source Routing      : no
Protocol            : udp
Source Port         : 4500
Destination Port    : 0 (any)
Scope               : local
Direction           : outbound
Fragment control    : all packets
Tunnel ID number    : 0

Setting the ENABLE_IPSEC_NAT_TRAVERSAL variable also adds some additional filter rules in the filter table. Special IPSEC NAT messages use UDP encapsulation and filter rules must be added to allow this traffic to flow. In addition, in phase 1 signature mode is required. If IP Address is used as the identifier in the certificate, it should contain the private ip address.

IP Security also needs to send NAT keep alive messages to maintain the mapping of the original IP Address and the NAT address. The interval is specified by the NAT_KEEPALIVE_INTERVAL variable in /etc/isakmpd.conf file. This variable specifies how frequently NAT keepalive packets are sent in seconds. If you do not specify a value for NAT_KEEPALIVE_INTERVAL, a default value of 20 seconds is used.