GRE
Terminating a GRE/IPSEC tunnel behind NAT
Suppose I need to (for whatever reason ;)) site-to-site VPN but also need to terminate the GRE/IPSEC tunnel on a device which is behind a NAT. The following diagram illustrates the scenario:
GRE/IPSEC terminating behind NAT
We need to have an IPSEC SA between RLeft and RRight and we need to have a GRE VTI between RLeft and RRight, running over this SA. The SA will secure and encapsulate the GRE traffic.
Some initial notes
If we want RRight to be behind NAT, there are some challenges to the normal GRE/IPSEC operation. The source address of the packets coming from RRight is changed to the public IP that NATRouter assigns it after it does the address translation. Being completely unaware of any NATs in the way, RLeft would only see packets coming from the NAT public IP 172.16.20.3 and not from the actual interface of RRight. This means RRight will have to authenticate as 172.16.20.3, so we need to bring up a loopback on RRight holding this IP address. This is why this could not work with NAT interface overloading on NATRouter, as in that case the IP of the loopback on RRight would be the same as the IP address of the fa0/0 interface on NATRouter, and there would be issues with routing the packets back to RRight.
NAT traversal
A note worh mentioning is that the NAT-transparency feature, also known in some sources as “UDP wrapper” or “UDP encapsulation” is enabled by default since 12.2(13)T. This feature allows the IPSEC endpoints to detect whether a NAT is present somewhere along the way, by exchanging hashes of the source and destination IP address and port at each end of the IPSEC SA. By recalculating the hashes locally and then comparing the values, the endpoints can detect whether a NAT is present along the way or not. Then, if both endpoints support NAT-T (which in our case they do), they will negotiate whteher to use NAT-T. The final (and most important) step is to encapsulate every IPSEC SA and ISAKMP packet within a new UDP header. IPSEC NAT-T uses UDP port 4500.
Configurations
Българска версия
Chat
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Nov | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
Recent Posts
Recent Comments
- ravi on VRF Lite - VRFs without MPLS
- Thiyagu on BGP RIB-Failure