Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Tuy nhiên, sau khi Giai đoạn 2 cuộc đàm phán được hoàn thành, thực hiện NAT trên các gói tin IPSec làm cho đường hầm thất bại. Trong số nhiều lý do tại sao NAT gây ra sự gián đoạn để IPSec5, một trong những lý do làcác thiết bị NAT không thể phân biệt vị trí của tiêu đề 4 lớp (vì nó được mã hóa) cho dịch cổng. | Chapter 1 IPSec IPSec NAT Traversal IPSec NAT Traversal Network Address Translation NAT and Network Address Port Translation NAPT are Internet standards that allow a local-area network LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. NAT devices generate these external addresses from predetermined pools of IP addresses. When setting up an IPSec tunnel the presence of a NAT device along the data path has no effect on Phase 1 and Phase 2 IKE negotiations which always encapsulate IKE packets within User Datagram Protocol UDP packets. However after the Phase 2 negotiations are completed performing NAT on the IPSec packets causes the tunnel to fail. Of the many reasons why NAT causes disruption to IPSec5 one reason is that for the Encapsulating Security Protocol ESP NAT devices cannot discern the location of the Layer 4 header because it is encrypted for port translation. For the Authentication Header AH protocol NAT devices can modify the port number but the authentication check which includes the entire IPSec packet fails. To solve this problem NetScreen devices with ScreenOS 3.0.0 or later and the NetScreen-Remote client version 6.0 or later can apply the NAT-Traversal NAT-T feature. NAT-T adds a layer of UDP encapsulation after detecting one or more NAT devices along the data path during Phase 1 exchanges. 5. For a list of IPSec NAT incompatibilities see draft-ietf-ipsec-nat-regts-00.txt by Bernard Aboba. NetScreen Concepts Examples - Volume 4 VPNs 17 Chapter 1 IPSec IPSec NAT Traversal Traversing a NAT Device In the following illustration a NAT device at the perimeter of a hotel LAN receives a packet from a VPN dialup client with IP address 200.1.1.1 assigned by its ISP. For all outbound traffic the NAT device replaces the original source IP address in the outer header with a new address 210.2.2.2. During Phase 1 negotiations the VPN client and the NetScreen device detect that both VPN participants support