Browse Prior Art Database

A Method For Uninterrupted IPsec Traffic Through NAT Scenarios

IP.com Disclosure Number: IPCOM000239295D
Publication Date: 2014-Oct-27
Document File: 5 page(s) / 385K

Publishing Venue

The IP.com Prior Art Database

Abstract

IKEv2 protocol does not handle dynamic NAT scenarios. Because of this the traffic sent over the IPsec SA will either be dropped or does not reach the peer security gateway. This can be frustrating as user may not understand about the problem. The paper addresses this problem and proposes a method to ensure that IPsec traffic flow seamlessly even in Dynamic NAT scenarios. Keywords—IPsec; IKEv2; NAT; Internet Security

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 35% of the total text.

A Method For Uninterrupted IPsec Traffic Through NAT Scenarios

Abstract

IKEv2 protocol does not handle dynamic NAT scenarios.  Because of this the traffic sent over the IPsec SA will either be dropped or does not reach the peer security gateway.  This can be frustrating as user may not understand about the problem.  The paper addresses this problem and proposes a method to ensure that IPsec traffic flow seamlessly even in Dynamic NAT scenarios.

Keywords—IPsec; IKEv2; NAT; Internet Security

Introduction

IPsec (Internet Protocol security) is widely used to protect IP(Internet Protocol) packets. IKEv2(Internet Key Exchange version 2) is an Internet Key Exchange protocol used to negotiate, create and maintain IPsec Security Associations (IPsec SA).  IPsec can be used in site-to-site scenarios and in remote access scenarios. In remote access scenarios, the user is a roaming user where it will not have any static IP address.

Remote access VPN(Virtual Private Network) is widely used to access the corporate networks from anywhere.  In Remote access VPN scenarios, remote user uses VPN client software to establish a secure tunnel with the corporate VPN server and access the corporate network securely.  VPN client uses IKEv2 protocol to establish a secure tunnel.

A typical user of remote access VPN is not expected to have any knowledge about IPsec or related technologies.  Remote user will not know about NAT(Network Address Translation), or concept of private IP address or whether device is behind NAT or device or laptop moved out of NAT or NAT is enabled dynamically etc.  A user will only know that with a few clicks of mouse the connection to the corporate network will be established and the corporate network is accessible.

The problem with dynamic NAT

Consider the following scenario:

Remote user is behind edge gateway having Public access and established a secure tunnel as shown in Fig 1.  Once the IPsec SA is created, remote user will be able to access the corporate network securely and the user will be issued a private IP address from an IP address pool maintained by the corporate security gateway.  

Fig. 1.    Remote access scenario

After the tunnel is established, NAT is enabled on the edge gateway as shown in Fig 2. 

Fig. 2.    Drop in connection when NAT is enabled dynamically

Since NAT is enabled on the Edge router, the source IP address in the IPsec (ESP) packet changes. Corporate VPN server will simply drop these IPsec packets as there is no SA with the modified source IP address.  Due to this the remote user suddenly cannot reach the corporate network.  Worst is that remote user will not know about the communication loss as the IPsec SA is already setup.  The loss in communication happens until the lifetime of the IPsec SA.  Dead peer detection(DPD) protocols will not help as IKE communication happens normally.

The following sections propose a solution to the above problem

Solution to Dynamic NAT problem

The solution to Dynamic N...