Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Allow NAT-T-disabled IKEv1 packets to NAT

0

0

Article ID: KB11323 KB Last Updated: 12 Jul 2010Version: 3.0
Summary:
Starting from ScreenOS 5.2, a firewall running NAT mode allows NAT-T-disabled IKEv1 packets to pass thru without doing src-port translation.
Symptoms:
NAT-T-disabled IKEv1 packet mandates source and destination UDP ports to be 500, which makes port-translation impossible. 
Solution:
Starting from ScreenOS 5.2, a firewall running NAT mode allows NAT-T-disabled IKEv1 packets to pass thru  without doing src-port translation. A new cmd 'get session ike-nat' will show extended session information.

Below is an example with two VPN Devices (A and B) behind a NS25 running interface NAT:
[Setup]

VPNA 172.16.1.100
  |
  |
Trust: 172.16.1.1
[NS25]
Untrust: 172.25.0.100
  |
  |
[VPN termination: 172.25.0.1]
VPNB 172.16.1.200
 

[NS25 Config - please note that policy 3 use IKE-NAT service for NAT-T-disabled IKEv1 packet]
set interface "ethernet1" zone "Trust"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 172.16.1.1/24
set interface ethernet1 nat
set interface ethernet3 ip 172.25.0.100/24
set interface ethernet3 route
set address "Untrust" "e3" 172.25.0.1 255.255.255.255
set policy id 3 from "Trust" to "Untrust"  "Any" "e3" "IKE-NAT" permit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit


Below are Extended sessions which include IKE cookies that can be established to keep track of NAT mapping. L5 Data contains IKE initiator and responder cookies. For details of 'get sess ike-nat', please refer to KB11307.

NS25-bottom-> get sess ike-nat
IKE pass-through ALG
Index ID Zone     Src addr        Dst addr        Protocol Session     L5 Data                             Validity TTL pri host
   0   3 Untrust  172.25.0.1      172.25.0.100        17    32052        cf24137e a2a16950 00000000 00000000 valid      5  0.0.0.0
   0   2 Trust    172.16.1.100    172.25.0.1          17    32052        cf24137e a2a16950 00000000 00000000 valid      5  0.0.0.0
  11   1 Untrust  172.25.0.1      172.25.0.100        17    32038        6a5286da a3d9b6ab 00000000 00000000 valid      6  0.0.0.0
  11   0 Trust    172.16.1.200    172.25.0.1          17    32038        6a5286da a3d9b6ab 00000000 00000000 valid      6  0.0.0.0
subtotal 4 sessions.



Session output below shows session 32052 and 32038 hitting policy 3 does not translate the src-port for the NAT-T-disabled IKEv1 packet. Hence, the VPN works.
NS25-bottom-> get sess
alloc 6/max 32064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 32058
id 32030/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 5, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/1033->172.27.4.10/53,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3110<-172.27.4.10/53,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 32038/s**,vsys 0,flag 04000000/0000/0001,policy 3,time 17, dip 0 module 0
 if 0(nspflag 880801):172.16.1.200/500->172.25.0.1/500,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 880800):172.25.0.100/500<-172.25.0.1/500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32043/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.100/4500->172.25.0.1/4500,17,00a1b008ffcb,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3042<-172.25.0.1/4500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32046/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 4, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/1030->172.27.4.10/53,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3109<-172.27.4.10/53,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 32049/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/4500->172.25.0.1/4500,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3099<-172.25.0.1/4500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32052/s**,vsys 0,flag 04000000/0000/0001,policy 3,time 17, dip 0 module 0
 if 0(nspflag 880801):172.16.1.100/500->172.25.0.1/500,17,00a1b008ffcb,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 880800):172.25.0.100/500<-172.25.0.1/500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
Total 6 sessions shown


Below is an example when policy 1 with ANY service is use, it does not hit the IKE-NAT service. Thus, the src-port for session 32046 and 32052 is translated from 500 to 3102 and 3100 respectively. Hence, the VPN fails.
NS25-bottom-> get sess 
alloc 5/max 32064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 32059
id 32030/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 5, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/1030->172.27.4.10/53,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3101<-172.27.4.10/53,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 32043/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.100/4500->172.25.0.1/4500,17,00a1b008ffcb,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3042<-172.25.0.1/4500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32046/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/500->172.25.0.1/500,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3102<-172.25.0.1/500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32049/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.200/4500->172.25.0.1/4500,17,000d60894f4f,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3099<-172.25.0.1/4500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 32052/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 6, dip 2 module 0
 if 0(nspflag 800801):172.16.1.100/500->172.25.0.1/500,17,00a1b008ffcb,sess token 4,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):172.25.0.100/3100<-172.25.0.1/500,17,0010db7ea316,sess token 6,vlan 0,tun 0,vsd 0,route 3
Total 5 sessions shown
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search