| IPsec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols. These objectives are met through the use of two traffic security protocols, the Authentication Header (AH) and the Encapsulating Security Payload (ESP), and through the use of cryptographic key management procedures and protocols.The operation of NAT is to transform the addresses inside a stub domain to another one. The transformation occurs at the border of the stub domain, and the relationship of transformation will be maintained in a table. NAT is transparent to the both sides using it. NAT has greatly released the pressure of IP address depletion of IPv4.IPSec prevents the datagram from being modified, but NAT modifys the IP address and Port number in the datagram. So, there is an incompatibility between the IPSec and the NAT. In recent years, the IPsec-NAT incompatibility has become a major barrier to deploy IPsec.This paper presents the method of UDP encapsulation of ESP packets to solve the IPsec-NAT incompatibility. This method could be used in many situations, but the most important thing is that it does not require changes to the NAT devices. Howerver, this method could only be used when the IKE's initiator and the responder support it. |
PDF Full Text Request