IPSEC VPN and NAT-T (Fortigate and Cisco)
Today's writing will be about IPSec configuration when tunnel endpoints are located behind NAT. Let's explain the challenges we need to overcome when a tunnel endpoint is behind NAT. IPSec provides confidentiality, authenticity and integrity. A NAT device alters the source IP adress, so the remote endpoint will fail to match the source IP address. Authentication check will fail because of this alteration. Which also means integrity check will fail also as the original packet was altered in the middle. As the payload is encrypted the NAT device cannot also change anything in encrypted portion of the IP header. NAT-Traversal comes in rescue in such cases. With NAT-T, an extra UDP header is added which encapsulates the IPSec ESP header. As this new UDP header is not encrypted, the NAT device can now make the necessary modifications to the packet, so that encrypted packets can reach to the tunnel endpoint. And finally to the end hosts in the network. During IKE phase,