UDP encapsulation of IPSec ESP packets

When building an ESP packet, it can be further encapsulated by placing a UDP header in front of the ESP header. This is known as UDP encapsulation. UDP encapsulation is used to allow IPSec traffic to successfully traverse a NAT device. For more information on NAT traversal (NATT), see IPSec and network address translation devices. z/OS® Communications Server supports NAT traversal for IPv4 traffic only.

z/OS Communications Server supports both tunnel and transport modes of UDP encapsulation.

As shown in Figure 1, UDP-encapsulated transport mode inserts a UDP header in between the IP header and the ESP header of a normal transport mode ESP packet.

Shows a UDP header between the IP header and the ESP header of a normal transport mode ESP packet. — Figure 1. UDP-encapsulated transport mode

As shown in Figure 2, UDP-encapsulated tunnel mode inserts a UDP header in between the new IP header and the ESP header of a normal tunnel mode ESP packet.

Shows a UDP header between the new IP header and the ESP header of a normal tunnel mode ESP packet. — Figure 2. UDP-encapsulated tunnel mode

When an IPSec UDP-encapsulated packet is built, the source and destination port values in the UDP header are set to the IKE port value of 4500.

Configure the choice of transport or tunnel mode using the IpDataOffer statement in the IP security policy configuration file. For more details about the IpDataOffer statement, see z/OS Communications Server: IP Configuration Reference.

The decision to use a UDP-encapsulated mode is not configured, but instead inferred, when a NAT is detected between two IKE daemons.