IPsec is a set of
extensions to the IP protocol family in a framework of open standards for
ensuring secure private communications over the Internet. Based on standards
developed by the IETF, IPsec ensures confidentiality, integrity, and
authenticity of data communications across the public network and provides
cryptographic security services.
between two peers, such as two routers, are provided and decisions are made as
to which packets are considered sensitive and should be sent through these
secure tunnels, and which parameters should be used to protect these sensitive
packets by specifying characteristics of these tunnels. When the IPsec peer
receives a sensitive packet, it sets up the appropriate secure tunnel and sends
the packet through the tunnel to the remote peer.
Encapsulating Security Payload (ESP) can pass through a router running NAT
without any specific support from it as long as Network Address Port
Translation (NAPT) or address overloading is not configured. You can enable
IPsec packet processing using ESP with the
ip nat service ipsec-esp enable command.
There are a number of
factors to consider when attempting an IPsec VPN connection that traverses a
NAPT device that represents multiple private internal IP addresses as a single
public external IP address. Such factors include the capabilities of the VPN
server and client, the capabilities of the NAPT device, and whether more than
one simultaneous connection is attempted across the NAPT device.
There are two
possible methods for configuring IPsec on a router with NAPT:
in a Layer 4 protocol such as TCP or UDP. In this case, IPsec is
through NAT. The NAT device is unaware of the encapsulation.
IPsec-specific support to NAPT. IPsec works with NAT in this case as opposed to
through NAT. The NAT Support for IPsec ESP-- Phase II feature provides support
for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode
through a Cisco IOS router configured with NAPT.
We recommend that TCP
and UDP be used when conducting IPsec sessions that traverse a NAPT device.
However, not all VPN servers or clients support TCP or UDP.
SPI matching is
used to establish VPN connections between multiple pairs of destinations. NAT
entries will immediately be placed in the translation table for endpoints
matching the configured access list..