Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2125
Views
4
Helpful
5
Replies

How does IKE work through a firewall - with NO NAT-T ?

Andrew Ward
Level 1
Level 1

‎09-03-2010 06:56 AM

Hi,

this is a question about the fundamental operation of IKE. I have searched the web, but have struggled to find good quality documentation (inc the RFCs).

I have a fully working site-to-site VPN between an ASA and an 1800 series router. In between the 2 devices is a checkpoint firewall which is performing NAT on ASA VPN endpoint address (from a private 10.x.x.x to an Internet address). The 1800 is configured with an Internet address and has no firewall between it and the Internet (I should say this is a test setup so there is little behind the 1800).

Both devices have NAT-T DISABLED  (no crypto ipsec nat-transparency udp-encaps).

As I say, this setup works fine, but in packets 5 & 6 of IKE why does the 1800 not complain about ID of the ASA (i.e. 10.x.x.x) being different from the peer address (the Internet address introduced by checkpoint NAT)?

My understanding is that this should fail peer authentication, but I'm obviously wrong. Either this check is not performed as part of peer authentication or the 2 devices are overcoming the NAT issue in some way beyond my understanding.

Any suggestions, or links to 'good' documentation would be appreciated.

Thanks,

Andy.

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-03-2010 07:26 AM

Hi Andy,

Just to understand something.. you mentioned there's a Checkpoint Firewall doing NAT for the private IP of the ASA.

In order to establish the VPN tunnel between the ASA and the router (if going through the internet), the router should have set its peer to the NATed IP of the ASA.

In other words, the router cannot set its peer to the real private IP of the ASA because can't reach it through the internet.

If this is not the case please clarify.

Federico.

0 Helpful

Andrew Ward
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-06-2010 02:01 AM

Federico,

yes that is correct. The peer setup on the router is the NAT address applied by the checkpoint (static NAT).

Thanks, Andy.

0 Helpful

praprama
Cisco Employee
Cisco Employee

‎09-03-2010 08:33 AM

Hi Andy,

Well based on your description of the behavior, since the VPN is coming up fine, i assume that you are using ESP and that the ASA's IP address is statically NATed to a public IP address on the checkpoint firewall.

I am saying this because if you were using AH for IPsec, this would not work as in AH the entire payload is HASHed and added as an authenticator at the end of the payload. So if the IP address is modified by an intermediate NAT device, this HASH value will not match at the end and it will not work. So AH will not work.

Now regarding the identity not matching for messages 5 and 6 of IKE phase 1, yes it is true that it will not match but when working with Cisco devices, they do not peform a strict check of those and just pop up a warning at the max about the mismatch. Now, if you were using some 3rd party devices (for example, in place of the 1800, if there was a checkpoint as i havre seen this happening for a fact), if they implement a strict check of the ISAKMP identities, the VPN tunnel phails with an error regarding Invalid ID or mismatched ID.

Unfortunately, I do not have a document about the same.  But i am saying the above based on my experience and what i have seen happening in defferent scenarios.

Hope this helps!!

Thanks and Regards,

Prapanch

Andrew Ward
Level 1
Level 1
In response to praprama

‎09-06-2010 02:12 AM

Prapanch,

thanks for the reply. Yes your assumption is correct. Static NAT on the checkpoint and ESP.

So with ESP the ID field does not influence the hash and so is not verified by the hashing mechanism? Is there then an 'optional' separate check of the ID field against the peer address?

And following on from this question - would such ID checking be bi-directional? The reason I ask is that I have seen some VPN devices which have a separate ID field (in their setup GUI) but just for incoming VPN connections, which suggests that they only check the ID on IKE initiated by the peer.

Regards, Andy.

0 Helpful

orkhan.rustamli.96
Level 1
Level 1
In response to praprama

‎05-31-2019 05:38 AM

Hello, 

I think that is old post but i could not find other recent post that will help with my question.

I have same question about identification during 5 and 6 messages. For example my side is configured with private ip which is NAtted and another one with public and another side configure pre-shared-key with "crypto isakmp key bla-bla address Public IP of Mine". Now when I send my identification (Private IP) in message 5 how opposite side does its lookup? because pre-shared-key that i sent is configured with another IP not Private

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents