Configuring IP security (IKEv2) to work with NAT
Starting with AIX 7.3, AIX IP Security (IPsec) supports the Network Address Translation Traversal (NAT-T) function with Internet Key Exchange Version 2 (IKEv2).
AIX IP Security version IKEv2 can detect the presence of NAT device during the Internet Key Exchange (IKE) Phase1 negotiation. Use the ENABLE_IPSEC_NAT_TRAVERSAL_IKEV2 and NAT_KEEPALIVE_INTERVAL variables in the /etc/isakmp.conf file to enable IPsec to detect and traverse through a NAT device.
You must enable the NAT traversal support, since, by default, the NAT traversal support on AIX is unavailable.
- ENABLE_IPSEC_NAT_TRAVERSAL_IKEV2
- To detect whether a network address translation (NAT) device is present between the IP Security
(IPsec) endpoints, you must set the ENABLE_IPSEC_NAT_TRAVERSAL_IKEV2 variable
in the /etc/isakmp.conf file. This configuration also determines the location
of the NAT device. IPsec endpoint as an initiator node can be behind a NAT device or as a responder
node can be behind a NAT device, or both initiator and responder node can be behind a NAT device.
IPsec endpoint, which is behind a NAT device must generate NAT keepalive messages to keep the NAT
mappings alive. When you set the ENABLE_IPSEC_NAT_TRAVERSAL_IKEV2 variable,
filter rules are added to the traffic that is sent or received on the port 4500. If a NAT device is
detected in the network, traffic from both the IKE and the Encapsulating Security Payload (ESP) use
the User Datagram Protocol (UDP) encapsulation function.
The following example shows the filter rules when the ENABLE_IPSEC_NAT_TRAVERSAL_IKEV2 variable is set.
Dynamic rule 2: Rule action : permit Source Address : 0.0.0.0 (any) Source Mask : 0.0.0.0 (any) Destination Address : 0.0.0.0 (any) Destination Mask : 0.0.0.0 (any) Source Routing : no Protocol : udp Source Port : 0 (any) Destination Port : 4500 Scope : local Direction : inbound Fragment control : all packets Tunnel ID number : 0 Dynamic rule 3: Rule action : permit Source Address : 0.0.0.0 (any) Source Mask : 0.0.0.0 (any) Destination Address : 0.0.0.0 (any) Destination Mask : 0.0.0.0 (any) Source Routing : no Protocol : udp Source Port : 4500 Destination Port : 0 (any) Scope : local Direction : outbound Fragment control : all packets Tunnel ID number : 0If you set the ENABLE_IPSEC_NAT_TRAVERSAL variable, some additional filter rules are added in the filter table. Special IPSec NAT messages use UDP encapsulation and filter rules must be added to allow this traffic to flow.
There are no configuration options to enable or disable NAT traversal for a Phase 2 IPSec security association. The state of NAT traversal for an IPSec security association is determined by the phase 1 security association that is used when negotiating the IPSec security association.
- NAT_KEEPALIVE_INTERVAL
- IPSec also sends NAT keep alive messages to maintain the mapping of the original IP address and the NAT address. The interval is specified by the NAT_KEEPALIVE_INTERVAL variable in the /etc/isakmpd.conf file. This variable specifies how frequently the NAT keepalive packets are sent, in seconds. If you do not specify a value for the NAT_KEEPALIVE_INTERVAL variable, a default value of 20 seconds is used.
Example of NAT device configuration with IKEv2 NAT-T function
In this example, the client (Host A) uses private IP address to connect to a server (Host B) that has a public IP address. Any remote endpoints are unknown to the server (Host B). Therefore, the server does not initiate any security association with the client (Host A). When you use a NAT device, you must configure the NAT device with static IP mapping, such that multiple internal IP addresses are mapped to a single public address. The NAT device can differentiate the hosts by using unique port numbers. After you configure the NAT device, at the server (Host B), AIX Phase 1 IP address is a NAT IP address and AIX Phase 2 IP address must be configured in an IP address range 1.0.0.1 to 223.255.254.254 (IPv4) to allow multiple IPsec connection requests from different clients. If you use this range of IP address, the server can accept connections from all the IP addresses that fall in class A, class B, and class C addresses. In this example, the AIX server (Host B) can accept connection request from a client (Host A) which is behind a NAT device.
The NAT-T function, as defined by the Internet Engineering Task Force (IETF), transmits internal IP addresses to the AIX IPSec NAT peer devices. These internal addresses are not exposed on the external network. However, the internal addresses are available for display at the remote security endpoint. If you want to use the NAT-T function, evaluate whether transmitting internal IP addresses to the AIX NAT IPSec peer devices is acceptable from a security perspective.