Re: IKEv2 / NAT-T for ASA behind edge router

mrjdh · ‎09-08-2019

Hello there - easy one here I'd imagine for many. I started studying the ASA recently, and as part of my efforts for keeping my CCNP R&S theory inside my head, I've incorporated a couple of ASAs into my GNS3 project. To give myself a hard time as usual, I've placed the ASA behind an edge router which is peering to a couple of BGP ASes.

I'd like to use the ASAs to form an IPSec VPN, and have been curious about how I can achieve this when they are sitting behind a device performing NAT.

I've found some great articles about NAT-T but came across this last paragraph in an article - https://packetpushers.net/site-site-ipsec-vpn-nat/. Namely:

By default, an ASA will encapsulate both IKEV2 negotiation and the IPSec encrypted packets in UDP 500. If you want to use NAT-T and encapsulate the IPSec packets in UDP 4500 then port forward UDP 4500 on the NAT router and enable NAT-T on the each ASA:

My question is, is ESP encapsulated with UDP port 500 by default, ONLY if IKEv2 is in use? Is it native to IKEv2? In other words, if my VPN is formed using IKEv2, I have no need to enable NAT-T on the ASA? Whereas, if I were to use IKEv1, I would have to enable NAT-T on the ASA and change the port forward on the edge router to cater for UDP 4500 instead?

Many thanks.

Rob Ingram · ‎09-08-2019

Hi,
By default (I assume you mean if nat is not used?) IKEv2 or IKEv1 is always negotiated using UDP/500. Once an IKEv2/IKEv1 Security Association (SA) has been established then an IPSec SA is established, the encrypted data will be transmitted using ESP (this is not encapsulated inside a UDP/500 packet).

If using NAT, only then is ESP encapsulated inside a UDP/4500 packet.

To confirm:-

If using NAT then you will be using UDP/500 and UDP/4500

If no NAT is used then you will be using UDP/500 and ESP.

I believe on newer ASA firmware that NAT-T is enabled as default

HTH