IPsec Transport mode with NAT-T | Why doesn't it work?
1) I understand that if ISAKMP identifies any NAT device, it encapsulate ESP in UDP-4500. If this NAT-T mechanism is designed to make IPsec compatible with NAT, why doesn't the transport mode work with NAT?
2) If the only difference between tunnel mode and transport mode is the encryption of original IP header, how does Tunnel mode support NAT-T ?
3) Why doesn't DMVPN support the NAT-T feature and why is that transport mode is a MUST for DMVPN?
I'm not sure about it, but in my short knowledge, and not good English,
1) In a normal NAT environment ( without IPsec ), not only original IP header is translated to specify public IP address, but also TCP/UDP checksum that is created by TCP/UDP header and IP header ( pseudo header ) is properly modifed to other values which is suit for NAT'ed address.
But, in IPsec transport mode, because the TCP/UDP header is encrypted, while translating the IP Header of Origin IP Header, NAT device is not able to modify that TCP/UDP checksum to some suitable values for NAT'ed address. then the TCP/UDP checksum will not be matched at destination, so connection isn't established normarlly.
However, in IPsec Tunnel mode, while the transport mode does not encrypt Origin IP Header, that Origin IP Header,TCP/UDP Checksum is encrypted, so the "New IP Header" which is IP address of VPN GW can be only translated to other IP address with no affect to Origin IP Header. So the TCP/UDP Checksum will be matched normally with Origin IP Header and connection will be established.
2)Well...Maybe the make PAT to work?
3) I think that IPsec Transport mode is "recommended" for DMVPN in order to reduce 20byte of overhead. Not MUST, since GRE Tunnel already hide its own original IP address with GRE Delivery Header ( PUblic IP address ) .
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...