| As a security protocol on IP layer, the Internet Protocol Security (IPSec) guarantees the identity authentication, data integrality as well as confidentiality of IP messages. IPsec is of great significance in network security field, especially for its application on Virtual Private Network (VPN). While Network Address Translation protocol (NAT) can translate private IP addresses to one or many public addresses on Internet, it can solve the problem of the shortage of IPv4 addresses.By analysis of NAT and IPSec protocols, the incompatibilities between them are exposed. When packages protected by IPSec travel through the NAT gateway, NAT will modify the IP address and port of outgoing packets, but it is supposed to be illegal and ignored by security checking of IPSec, which encumbers the communication between two ends. The incompatibility restricts the application of NAT and IPSec.Currently, in the field of network security, it is generally required that NAT and IPSec gateways are able to work together. To solve the problem we make possible for IPSec protected packages to travel through the NAT gateway by means of UDP encapsulation and modification of present VPN system. Additional payloads are added in IKE negotiate package to detect NAT between IPsec hosts, detect NAT traversal support in IKE at both ends and negotiate UDP encapsulation for IPsec packets through IKE. Encapsulation and de-encapsulation operations are performed on ESP and AH packages for traveling. At the same time the IPSec process is also modified. At last, effective solutions for difficulties on IP fragment, ICMP and PMTU are provided.In the environment of both sides need traverse NAT, the initiator has no means to get the port and IP address of the responder, the tunnel cannot be established. Therefore we put forward a solution named "VPN forwarded gateway".Other unresolved problems related to NAT-traversal with UDP encapsulation are also discussed.
|
PDF Full Text Request