Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6436
Views
10
Helpful
7
Replies

AH and NAT-T not working?

m.mohanasundaram
Level 1
Level 1

‎06-21-2005 08:39 PM

Hi,

I am trying to configure Lan to Lan IPSec tunnel between two routers, using AH as packet authentication mechanism (transform-set = esp-des ah-md5-hmac)and having a NAT device in the path between the peers.

I see that the NAT-T is being negociated and also see that UDP encaps are enabled though the 'show cry ipsec sa' command.

But end-to-end communication between the protected newtworks does not happen.

I also see that the two peers are exchanging some packets over UDP/4500 if I debug ip packet on the routers on the path.

Does NAT-Traversal work with AH? It works fine with ESP.

Any help would be appreciated.

Thanks in advance,

Mohan

1 person had this problem
Labels:
0 Helpful
7 Replies 7

aacole
Level 5
Level 5

‎06-22-2005 02:12 AM

Hi Mohan,

NAT-T is for ESP only.

Andy

johansens
Level 4
Level 4

‎06-23-2005 07:05 AM

IF you think about it, it's impossible for AH to work with NAT/PAT.. AH makes a hashing of the entire packet (with some very few exceptions) to make sure it hasn't been altered on the way.. NAT/PAT does exactly this, alters the packet's IP-addresses.

So.. NAT-T doesn't work with AH.

m.mohanasundaram
Level 1
Level 1
In response to johansens

‎06-24-2005 11:19 PM

Hi,

I agree that AH will not work with NAT/PAT, but logically must work with NAT-T. NAT and NAT-T are two different things. In fact, the very existance of NAT-T is that AH cannot work across NAT/PAT and ESP cannot work across PAT (ESP can work across NAT).

So, my question still remains. Why is AH not working with NAT-T.

Theoritically it must work like this:

AH Peer------NAT/PAT------AH Peer

1. If NAT-T is enabled on both the peer, they must negociate that they are NAT-T capable.

2. Then they test if there is a NAT/PAT device between them.

3. If they find that there is a NAT or PAT device between them, then they decide to use NAT-T. (NAT-T will encapsulate AH packets into UDP/4500 to avoid NAT/PAT issues with AH)

4. Once they decide to use NAT-T, both ends must encapsulate AH inside UDP/4500. At the other end, UDP/4500 is stripped off and the original AH packet is process by IPSec.

But, this is not working in my case. If any of the above is incorrect, please correct me.

Thanks in advance,

Mohan

0 Helpful

aacole
Level 5
Level 5
In response to m.mohanasundaram

‎06-25-2005 08:50 AM

I know what you mean, but it wont work. The problem is that AH provides authentication for the packet headers, and NAT-T modifies these headers, so violates the authentication.

AH and NAT-T cannot co-exist. I found a couple of documents that describe this is in a bit more detail.

http://madcow.fx-services.com/fx/htmldocs/ipsec/pg_0089.htm

http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint121504.mspx

http://www.sandelman.ottawa.on.ca/ipsec/2001/08/msg00063.html

The last link seems to indicate that the IETF had considered providing support for AH with NAT-T but never did put it into practice.

Andy

0 Helpful

johansens
Level 4
Level 4
In response to m.mohanasundaram

‎06-25-2005 08:53 AM

There is of course nothing stopping you to write your own protocol to allow AH to be NAT'ed, but it lays in the very nature of what the AH is supposed to do to not allow it to be modified...

3) This is for ISAKMP/ESP, not for AH...

4) This is for ISAKMP/ESP, not for AH...

A little background is needed:

There are (were) two competing standards for NAT-Traversal. One written by SSH Communications and another co-authored by F-Secure, Microsoft, Cisco, and Nortel. In 2001 they got together and merged into one (ie. more or less squashed SSH's proposal..).

SSH's standard allowed for NAT of AH-packets. Cisco's (++) didn't.. here's an excerpt from the RFC (as written by Cisco & "Friends"):

UDP Encapsulation of IPsec ESP Packets (http://www.ietf.org/rfc/rfc3948.txt)

"Because the protection of the outer IP addresses in IPsec AH is inherently incompatible with NAT, the IPsec AH was left out of the scope of this protocol specification."

Check here for info from Cisco on UDP Encapsulation and what it solves:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html#wp1041421

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to m.mohanasundaram

‎06-25-2005 01:11 PM

I believe step 3 above is incorrect. NAT-T encapsulates ESP. It will not encapsulate an AH header. AH is used to verify the entire packet integrity. Consequently AH is the last step applied, even after NAT-T.

0 Helpful

m.mohanasundaram
Level 1
Level 1
In response to Philip D'Ath

‎06-27-2005 11:17 PM

Friends,

Thank you all for your inputs. I now know that NAT-T works only with ESP. But my question is, why not with AH?

All NAT-T has to do is encapsulate the final AH packet (protocol = 51) into a new UDP packet with port No. 4500. Please note that this new UDP header is not AH protected. This is just a plain UDP header that has the IP address of the IPSec end-points. So there is no question of integrity failure becasue the NAT changed the IP address. In this case, NAT only changes the IP address of the newly formed UDP/IP packet and NOT the original IP header of the AH protected packet. The original AH protected packet is de-encapsulated only at the final end of the IPSec peer. All this means is that the AH protected IP packet travels inside a newly formed UDP/IP packet from the source to the destination peer, without undergoing any change.

p.dath, if my understanding is correct, NAT-T encapsulation is performed last. AH is done first and that AH protected packet is encapsulated by NAT-T with UDP/4500 and transmitted out of the interface.

I hope that clarifies a bit :)

Thanks for your inputs again,

Regards,

Mohan

0 Helpful
Customers Also Viewed These Support Documents