NAT Traversal Debugs (CCIE Notes)


“NAT traversal (NAT-T) is a general term for techniques that establish and maintain IP connections traversing (NAT) gateways. Network address translation breaks end-to-end connectivity.Wikipedia

The below debugs were captured from an IOS router with an intermediary router NATing the peer IP address.

Initiator:

*Jun 25 10:31:26.723: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 25 10:31:26.723: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 25 10:31:26.723: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 25 10:31:26.723: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 25 10:31:26.723: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 25 10:31:26.723: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 
!
*Jun 25 10:31:26.871: ISAKMP (0): vendor ID is NAT-T RFC 3947
!
*Jun 25 10:31:27.083: ISAKMP (1003): NAT found, both nodes inside NAT
*Jun 25 10:31:27.083: ISAKMP:received payload type 20
*Jun 25 10:31:27.083: ISAKMP (1003): My hash no match - this node inside NAT
*Jun 25 10:31:27.083: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 10:31:27.087: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM4 
*Jun 25 10:31:27.087: ISAKMP:(1003):Send initial contact
*Jun 25 10:31:27.087: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 25 10:31:27.087: ISAKMP (1003): ID payload 
 next-payload : 8
 type : 1 
 address : 10.1.1.1 
 protocol : 17 
 port : 0 
 length : 12
*Jun 25 10:31:27.087: ISAKMP:(1003):Total payload length: 12
*Jun 25 10:31:27.091: ISAKMP:(1003): sending packet to 10.1.2.4 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Jun 25 10:31:27.091: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 25 10:31:27.091: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 10:31:27.095: ISAKMP:(1003):Old State = IKE_I_MM4 New State = IKE_I_MM5 
!
*Jun 25 10:31:27.195: ISAKMP (1003): received packet from 10.1.2.4 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Jun 25 10:31:27.203: ISAKMP:(1003): processing ID payload. message ID = 0
*Jun 25 10:31:27.207: ISAKMP (1003): ID payload 
 next-payload : 8
 type : 1 
 address : 10.1.2.4 
 protocol : 17 
 port : 0 
 length : 12
*Jun 25 10:31:27.215: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 25 10:31:27.219: ISAKMP:(1003): processing HASH payload. message ID = 0
*Jun 25 10:31:27.223: ISAKMP:(1003):SA authentication status:
 authenticated
*Jun 25 10:31:27.223: ISAKMP:(1003):SA has been authenticated with 10.1.24.4
*Jun 25 10:31:27.223: ISAKMP:(1003):Setting UDP ENC peer struct 0x6A151F78 sa= 0x6A2A6A6C
*Jun 25 10:31:27.223: ISAKMP: Trying to insert a peer 10.1.1.1/10.1.2.4/4500/, and inserted successfully 6A1EF5B4.
*Jun 25 10:31:27.223: ISAKMP:(1003):Input 
R1#= IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 25 10:31:27.227: ISAKMP:(1003):Old State = IKE_I_MM5 New State = IKE_I_MM6 
*Jun 25 10:31:27.227: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 10:31:27.227: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_I_MM6 
*Jun 25 10:31:27.227: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 10:31:27.231: ISAKMP:(1003):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 
*Jun 25 10:31:27.231: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of 770707520
*Jun 25 10:31:27.231: ISAKMP:(1003):QM Initiator gets spi
*Jun 25 10:31:27.243: ISAKMP:(1003): sending packet to 10.1.2.4 my_port 4500 peer_port 4500 (I) QM_IDLE 
*Jun 25 10:31:27.243: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 25 10:31:27.247: ISAKMP:(1003):Node 770707520, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 25 10:31:27.251: ISAKMP:(1003):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 25 10:31:27.251: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 25 10:31:27.251: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Notes:
  • NAT-T is constructed
  • NAT is detected in the path (NAT-Discovery) when the hashes sent out by each peer don’t match. The intermediary router might be considering this peer as it’s inside and the other peer as outside as seen in the debug output of the responder.
  • The local ID payload is sent to the peer from source UDP port 4500 to peer’s UDP port 4500 in Main mode messages 5 and 6.
  • The ID payload is received from the peer’s UDP port 4500 to the local peer’s UDP port 4500 in Main mode messages 5 and 6.
  • SA is inserted using the port 4500 between the peers. Whereas without NAT-T, SA is inserted using port 500 between the peers.

Responder:

*Jun 25 10:31:26.819: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 25 10:31:26.819: ISAKMP:(0): processing vendor id payload
*Jun 25 10:31:26.819: ISAKMP:(0): vendor ID seems Uity/DPD but major 245 mismatch
*Jun 25 10:31:26.819: ISAKMP (0): vendor ID is NAT-T v7
*Jun 25 10:31:26.819: ISAKMP:(0): processing vendor id payload
*Jun 25 10:31:26.823: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 25 10:31:26.823: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 25 10:31:26.823: ISAKMP:(0): processing vendor id payload
*Jun 25 10:31:26.823: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 25 10:31:26.823: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 25 10:31:26.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 10:31:26.823: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 
!
*Jun 25 10:31:26.823: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
!
*Jun 25 10:31:27.011: ISAKMP (1003): His hash no match - this node outside NAT
*Jun 25 10:31:27.011: ISAKMP:received payload type 20
*Jun 25 10:31:27.011: ISAKMP (1003): His hash no match - this node outside NAT
*Jun 25 10:31:27.011: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
!
*Jun 25 10:31:27.139: ISAKMP (1003): received packet from 10.1.2.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Jun 25 10:31:27.147: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 25 10:31:27.151: ISAKMP:(1003):Old State = IKE_R_MM4 New State = IKE_R_MM5 
*Jun 25 10:31:27.167: ISAKMP:(1003): processing ID payload. message ID = 0
*Jun 25 10:31:27.171: ISAKMP (1003): ID payload 
 next-payload : 8
 type : 1 
 address : 10.1.1.1 
 protocol : 17 
 port : 0 
 length : 12
*Jun 25 10:31:27.179: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 25 10:31:27.179: ISAKMP:(1003): processing HASH payload. message ID = 0
*Jun 25 10:31:27.179: ISAKMP:(1003): processing NOTIFY INITIAL_CONTACT protocol 1
 spi 0, message ID = 0, sa = 0x6A1F2F8C
*Jun 25 10:31:27.179: ISAKMP:(1003):SA authentication status:
 authenticated
*Jun 25 10:31:27.179: ISAKMP:(1003):SA has been authenticated with 10.1.2.1
*Jun 25 10:31:27.179: ISAKMP:(1003):Detected port floating to port = 4500
*Jun 25 10:31:27.179: ISAKMP: Trying to find existing peer 10.1.2.4/10.1.2.1/4500/
*Jun 25 10:31:27.179: ISAKMP:(1003):SA authentication status:
 authenticated
*Jun 25 10:31:27.179: ISAKMP:(1003): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.2.4 remote 10.1.2.1 remote port 4500
*Jun 25 10:31:27.183: ISAKMP: Trying to insert a peer 10.1.2.4/10.1.2.1/4500/, and inserted successfully 6A209458.
*Jun 25 10:31:27.183: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 25 10:31:27.183: ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_R_MM5 
*Jun 25 10:31:27.183: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jun 25 10:31:27.183: ISAKMP (1003): ID payload 
 next-payload : 8
 type : 1 
 address : 10.1.2.4 
 protocol : 17 
 port : 0 
 length : 12
*Jun 25 10:31:27.183: ISAKMP:(1003):Total payload length: 12
*Jun 25 10:31:27.187: ISAKMP:(1003): sending packet to 10.1.24.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Jun 25 10:31:27.187: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 25 10:31:27.191: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 25 10:31:27.195: ISAKMP:(1003):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 
*Jun 25 10:31:27.203: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 25 10:31:27.203: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Notes:
  • The intermediary router might be considering this peer as it’s outside and the other peer as inside as seen in the debug output above.
  • The SA is authenticated with the NATed IP address of the peer.
  • The IP Payload received from the peer shows the real IP of the peer and not the NATed IP as specified in the config.

Verification:

On the Peer routers;

R1#show crypto isakmp peers 
Peer: 10.1.2.4 Port: 4500 Local: 10.1.1.1
 Phase1 id: 10.1.2.4

R3#show crypto isakmp peer
Peer: 10.1.2.1 Port: 4500 Local: 10.1.2.4
 Phase1 id: 10.1.1.1

On the intermediary router performing NAT;

R2#sh ip nat translations 
Pro Inside global Inside local  Outside local Outside global
udp 10.1.24.1:500 10.1.12.1:500 10.1.24.4:500 10.1.24.4:500
udp 10.1.2.1:4500 10.1.1.1:4500 10.1.2.4:4500 10.1.2.4:4500
--- 10.1.24.1     10.1.12.1     ---           ---

Further reading on NAT-T:

How Does NAT-T work with IPSec? – https://supportforums.cisco.com/docs/DOC-16591

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s