IPSec Communication Failed Due to Incorrect NAT Configuration

Publication Date:  2015-07-03 Views:  319 Downloads:  0
Issue Description
Network Topology:
Firewall A---------Internet--------------Firewall B

Symptom:

IPSec negotiation was successful, but services were interrupted.

Handling Process
1. The IPSec information was displayed, and the result indicated that the IPSec tunnel was successfully established.

[USG-A]dis ike sa                                                                      
19:09:19  2013/01/07                                                                   
current ike sa number: 2                                                               
  ---------------------------------------------------------------------                
  connection-id  peer                    vpn   flag          phase   doi               
  ------------------------------------------------------------------------             
    0x49         222.73.x1.y1            0     RD          v1:2    IPSEC               
    0x48         222.73.x1.y1            0     RD          v1:1    IPSEC    
  

The peer address was 222.73.189.92.

2. The IPSec negotiation session was examined. The negotiation packets were IKE packets on UDP port 500.

[USG-A]dis firewall  session table  verbose  destination-port 500    
          
19:11:51  2013/01/07                                                          
Current Total Sessions : 1                                                    
  udp  VPN:public --> public                                                   
  Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:50                        
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00          
  <--packets:2 bytes:576   -->packets:6 bytes:920                               
  222.73.x1.y1:500-->58.209.x2.y2:500   
                                       

The session information indicated that NAT was not enabled on the intermediate device for user 222.73.x1.y1.

3. The ESP session (IPSec service packets) was examined.


[USG-A]dis firewall  session table verbose  destination global  X.X.118.10  
esp  VPN:public --> public                                                     
  Zone: untrust--> local  TTL: 00:10:00  Left: 00:09:47                        
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00              
  <--packets:0 bytes:0   -->packets:5461 bytes:806880                          
  122.225.10.t:0-->58.209.x2.y2:0  
  

The source address of the ESP packets was changed to 122.225.10.t. When the IPSec was disabled, the session disappeared; when the IPSec negotiation succeeded, the session appeared again. This fact indicated that the packets were from 222.73.x1.y1.
4. The previous analysis indicated that the intermediate device changed the source address of ESP packets to 122.225.10.t. The NAT configuration caused the communication failure because 222.73.x1.y1 is a public addresses and does not need address translation.
5. To allow ESP packets the traverse NAT, NAT must be configured for negotiation packets. Otherwise, the two ends of the IPSec tunnel cannot detect whether a NAT device exists in between.
The negotiation mechanism is described in the following figure. Only negotiation packets can detect whether an intermediate NAT device exists.


Root Cause
An intermediate device translated the source address of IPSec service data, but not that of negotiation packets, causing the communication failure. 
Solution
1. (Recommended) Both sides use public IP addresses. Therefore, NAT is unnecessary. Disable the NAT on the intermediate device to resolve the problem.

2. Configure the intermediate NAT device to translate the source IP address of IKE negotiation packets, too.

END