NAT traversal
来源:互联网 发布:pc端口推广 编辑:程序博客网 时间:2024/05/07 01:52
IPsec作为一种重要的安全技术得到越来越广泛的应用,但是客户网络边缘大量使用的NAT地址转换操作可能影响到IPsec的正常操作。目前,NAT和IPsec之间存在的不兼容性问题主要可以分为以下三类:
l IP地址和端口不匹配的问题
l IPsec不能验证NAT报文的问题
l NAT超时影响IPsec的问题
在IKE野蛮模式的基础上实现NAT穿越,很好地解决了此问题。
为了使IKE支持目前广泛应用的通过ADSL及拨号方式构建VPN的方案中的特殊情况――即局端设备的IP地址为固定分配的,用户端设备的IP地址为动态获取的情况,在IKE阶段的协商模式中增加了IKE野蛮模式,它可以选择根据协商发起端的IP地址或者ID来查找对应的身份验证字,并最终完成协商。IKE野蛮模式相对于主模式来说更加灵活,能够支持协商发起端为动态IP地址的情况。
在IPsec/IKE组建的VPN隧道中,若存在NAT网关设备,且NAT网关设备对VPN业务数据流进行了NAT转换的话,则必须配置IPsec/IKE的NAT穿越功能。该功能删去了IKE协商过程中对UDP端口号的验证过程,同时实现了对VPN隧道中NAT网关设备的发现功能,即如果发现NAT网关设备,则将在之后的IPsec数据传输中使用UDP封装(即将IPsec报文封装到IKE协商所使用的UDP连接隧道里)的方法,避免了NAT网关对IPsec报文进行篡改(NAT网关设备将只能够修改最外层的IP和UDP报文头,对UDP报文封装的IPsec报文将不作修改),从而保证了IPsec报文的完整性(IPsec数据加密解密验证过程中要求报文原封不动地被传送到接收端)。目前仅在IKE野蛮模式下支持NAT穿越,主模式下不支持。
---------------------------------------------------------------------------------------------------------------------------------------------------------------------另一篇:
1.从IPsec的角度上说,IPsec要保证数据的安全,因此它会加密和校验数据。
2.从NAT的观点来看,为了完成地址转换,势必会修改IP地址。
2. IKE协商使用UDP封装
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload length |
+---------------+---------------+---------------+---------------+
~ HASH of the address and port ~
+---------------+---------------+---------------+---------------+
HASH值的计算方法如下,具体HASH是根据协商来确定的:
------------ ------------
UDP(500,500) HDR, SA, VID -->
<-- UDP(500,X) HDR, SA, VID
UDP(500,500) HDR, KE, Ni,
NAT-D, NAT-D -->
<-- UDP(500,X) HDR, KE, Nr,
NAT-D, NAT-D
UDP(4500,4500) HDR*#, IDii,
[CERT, ]SIG_I -->
<-- UDP(4500,Y) HDR*#, IDir,
[ CERT, ], SIG_R
2.2 UDP封装协商
UDP-Encapsulated-Transport 4
+---------------+---------------+---------------+---------------+
| Next Payload | RESERVED | Payload length |
+---------------+---------------+---------------+---------------+
| ID Type | RESERVED | RESERVED |
+---------------+---------------+---------------+---------------+
| IPv4 (4 octets) or IPv6 address (16 octets) |
+---------------+---------------+---------------+---------------+
值得注意的是只是在传输模式下需要传NAT-OA载荷,但通道模式下就没必要传了,具体原因看下节UDP封装方法后再说明。
交换过程如下:
------------ ------------
HDR*, HASH(1), SA, Ni, [, KE]
[, IDci, IDcr ]
[, NAT-OAi, NAT-OAr] -->
<-- HDR*, HASH(2), SA, Nr, [, KE]
[, IDci, IDcr ]
[, NAT-OAi, NAT-OAr]
HDR*, HASH(3) -->
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ESP header [RFC4303] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
-------------------------------------------------------
IPv4 |orig IP hdr | UDP | ESP | | | ESP | ESP|
|(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth|
-------------------------------------------------------
|<----- encrypted ---->|
|<------ authenticated ----->|
数据包经过NAT设备后,只修改外部IP头和UDP头中的数据,TCP头中的数据是不可能修改的(实际NAT设备也根本看不到TCP头数据,因为是被ESP加密了的)。经过ESP/UDP协议解封装处理,到达应用层时的数据包剩下修改后的外部IP头和原始TCP头,因此TCP头中的校验和必须和修改后的IP头中的地址匹配,否则在应用层看来就是错误的。因此IKE时必须交换NAT-OA载荷,使ESP/UDP处理层知道如何修改TCP校验和,而对于上层的UDP协议,可以简单的将校验和置0即可。
----------------------------
IPv4 |orig IP hdr | | |
|(any options)| TCP | Data |
----------------------------
--------------------------------------------------------------
IPv4 |new h.| UDP | ESP |orig IP hdr | | | ESP | ESP|
|(opts)| Hdr | Hdr |(any options)| TCP | Data | Trailer |Auth|
--------------------------------------------------------------
|<------------ encrypted ----------->|
|<------------- authenticated ------------>|
内部IP头也是ESP载荷的一部分,因此TCP校验和已经是根据内部IP头计算的了,因此在IKE时不用交换NAT-OA载荷,解封处理只需要按顺序依次解开UDP和ESP就能还原原始数据包。
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE header [RFC4306] |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xFF |
+-+-+-+-+-+-+-+-+
4. 冲突
| |-------------|----\
+----+ / \ \
A NAT 1 \
\
10.1.2.3 \
+----+ \ / \ +----+ +----+
| |-------------|----------+------| |----------| |
+----+ / \ +----+ +----+
B NAT 2 远程VPN网关 远程服务器
10.1.2.3
在传输模式下更容易发生问题,对于下面的拓扑结构:
+----+
| |
+----+ \
A \
10.1.2.3 \
\
+----+ \ / +----+
| |-----+-----------------| |
+----+ / \ +----+
B NAT 服务器
10.1.2.4 /
/
/
+----+ /
| |/
+----+
C
10.1.2.5
1. 对于IPsec-ESP来说,NAT设备不能找到要做端口转换的port和src IP address的位置(因为它已经被加密了)
2.对外IPsec-AH协议,NAT设备虽然可以看到port和Src IP and Dst IP address,但不可以修改,如果一修改整个IPsec数据包的完整性验证就会失败。IPsec 数据包就会被丢弃。
二 IPsec和NAT和平共处的解决方法:NAT-T
在 IPsec第一阶段IKE SA协商过程中,两端支持NAT-T的VPN 设备会在IPSec 协商路径上检测是否有NAT设备,
1. 如果没有NAT设备,IPSec数据包正常发送,接着进入IKE第二阶段
2. 如果监测到NAT设备,就给要发送出去的IPSec数据包再添加一层UDP封装。可以解决认证检查失败的问题。NAT设备将其作为 UDP 封包处理,更改UDP 包头中的源端口,不修改 AH 或 ESP 中的 SPI 包头。对端的VPN设备将剥开UDP 层并处理 IPSec 封包,这样处理就会通过认证检查,因为对认证过的内容并没有做任何更改。
1.启用NAT-T之后,也只要两端的VPN Gateway之间存在NAT设备时才会激活。
2.要使用NAT-T功能,两端的VPN Peer都必须支持。
- added connection description "shiyantoxili/1x1"
- added connection description "shiyantoxili/1x2"
- initiating all conns with alias='shiyantoxili'
- "shiyantoxili/1x2" #1538: initiating Aggressive Mode #1538, connection "shiyantoxili/1x2"
- "shiyantoxili/1x2" #1538: received Vendor ID payload [Dead Peer Detection]
- "shiyantoxili/1x2" #1538: received Vendor ID payload [RFC 3947] method set to=115
- "shiyantoxili/1x2" #1538: Aggressive mode peer ID is ID_FQDN: '@xili'
- "shiyantoxili/1x2" #1538: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
- "shiyantoxili/1x2" #1538: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
- "shiyantoxili/1x2" #1538: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
- "shiyantoxili/1x2" #1538: Dead Peer Detection (RFC 3706): enabled
- "shiyantoxili/1x1" #1539: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1538 msgid:2954fd80 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
- "shiyantoxili/1x2" #1540: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1538 msgid:236ba11e proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
- "shiyantoxili/1x1" #1539: Dead Peer Detection (RFC 3706): enabled
- "shiyantoxili/1x1" #1539: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
- "shiyantoxili/1x1" #1539: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc417d95b <0x3f4913c4 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=113.91.86.106:4500 DPD=enabled}
- "shiyantoxili/1x2" #1540: Dead Peer Detection (RFC 3706): enabled
- "shiyantoxili/1x2" #1540: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
- "shiyantoxili/1x2" #1540: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc417d95c <0x3f4913c5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=113.91.86.106:4500 DPD=enabled}
接收端日志:
- packet from 113.104.226.246:500: received Vendor ID payload [Dead Peer Detection]
- packet from 113.104.226.246:500: received Vendor ID payload [RFC 3947] method set to=115
- packet from 113.104.226.246:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
- packet from 113.104.226.246:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
- packet from 113.104.226.246:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
- packet from 113.104.226.246:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: Aggressive mode peer ID is ID_FQDN: '@shiyan'
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: responding to Aggressive Mode, state #404, connection "xilitoshiyan/1x1" from 113.104.226.246
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: STATE_AGGR_R1: sent AR1, expecting AI2
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: new NAT mapping for #404, was 113.104.226.246:500, now 113.104.226.246:4500
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: STATE_AGGR_R2: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: the peer proposed: 192.168.3.0/24:0/0 -> 192.168.1.0/24:0/0
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: responding to Quick Mode proposal {msgid:2954fd80}
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: us: 192.168.3.0/24===192.168.0.188[@xili]
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: them: 113.104.226.246<0.0.0.0>[@shiyan]===192.168.1.0/24
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: keeping refhim=4294901761 during rekey
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
- "xilitoshiyan/1x1"[1] 113.104.226.246 #404: the peer proposed: 192.168.0.0/24:0/0 -> 192.168.1.0/24:0/0
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: responding to Quick Mode proposal {msgid:236ba11e}
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: us: 192.168.0.0/24===192.168.0.188[@xili]
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: them: 113.104.226.246<0.0.0.0>[@shiyan]===192.168.1.0/24
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: keeping refhim=4294901761 during rekey
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
- "xilitoshiyan/1x1"[1] 113.104.226.246 #405: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x3f4913c4 <0xc417d95b xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=113.104.226.246:4500 DPD=none}
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
- "xilitoshiyan/2x1"[1] 113.104.226.246 #406: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x3f4913c5 <0xc417d95c xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=113.104.226.246:4500 DPD=none}
- NAT traversal
- UPnP NAT Traversal 常见问题
- Ipsec Nat-Traversal
- Ipsec Nat-Traversal 2
- Ipsec Nat-Traversal
- Introduction to Network Address Translation (NAT) and NAT Traversal
- NAT and Traversal NAT(TURN/STUN/ICE)
- !NAT and Traversal NAT(TURN/STUN/ICE)
- NAT and Traversal NAT(TURN/STUN/ICE)
- NAT and Traversal NAT(TURN/STUN/ICE)
- NAT and Traversal NAT(TURN/STUN/ICE)
- NAT and Traversal NAT(TURN/STUN/ICE)
- NAT and Traversal NAT(TURN/STUN/ICE)
- 一日一点RakNet(25)--NAT traversal architecture
- Best practices for SIP NAT traversal
- RakNet学习(24) -- NAT traversal architecture
- Configuring NAT traversal using Kamailio 3.1 and the Rtpproxy server
- NAT
- 2015编程之美初赛第一场 B 建造金字塔
- [BZOJ 2433][NOI 2011]智能车比赛(计算几何+动态规划)
- IOS-Foundation-KVC
- 销毁资源和释放内存
- 黑马程序员--IO流概述
- NAT traversal
- excel导入到Mysql中的id判定
- POJ 2352 Stars 解题思路,树状数组
- debian 6 安装 JDK 、eclipse、 SDK 笔记
- Trie树 Hihocoder 1014 Trie树
- 在MyEclipse中迁移RAD项目
- PO、VO、BO、DTO、POJO、DAO之间的关系
- PHP 编码规范
- Shape