About ESP NAT
In normal cases, Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer-3 protocol that has no port. Therefore, ESP cannot apply to NAT that allows port translation.
The FW provides ESP NAT to perform NAT for ESP packets and to set ports for ESP packets to differentiate various ESP packets.
ESP NAT applies to source NAT and NAT Server scenarios.
ESP NAT Process in a Source NAT Scenario
In a source NAT scenario, an IPSec tunnel is established between PC1 and PC2. When PC1 proactively accesses PC2, the FW performs NAT on the source address of ESP packets and allocates the SPI value to the ESP packets as the port number through ESP NAT.
As shown in Figure 1, PC1 resides on LAN 1, PC2 resides on LAN 2, and the FW serves as the NAT device. ESP packets are processed as follows:
When PC1 sends packets to PC2, the FW creates forward sessions after receiving the first ESP packet from PC1 and uses the first 16-bit SPI value fspi1 in the forward ESP packet as the source port and the last 16-bit SPI value fspi2 as the destination port. After NAT, both the source and destination ports are 0.
If no reverse packet is received within 3s after a forward ESP first packet is received, the forward session will be aged out. If a new forward ESP first packet is received during the period, the FW will refresh the session table.
When PC2 sends response packets to PC1, the FW receives reverse packets and preferentially uses the SPI value in the ESP packets as the port for session match. If a match is found, the session has been created, and the processing is normal. If no match is found, 0 shall be used as the port for forward session match and session table creation. The FW splits the SPI value in the 32-bit reverse ESP packet into two parts: The first 16-bit SPI value rspi1 is used as the destination port after NAT, and the last 16-bit SPI value rspi2 as the source port after NAT. In addition, the session table is updated.
ESP NAT Process in a NAT Server Scenario
In a NAT Server scenario, an IPSec tunnel is established between PC1 and PC2. The address of PC1 on the LAN is mapped to a public address. When PC2 accesses the public address, the FW translates the destination address to PC1's address and allocates the SPI value to the ESP packet as the port through ESP NAT.
As shown in Figure 1, PC1 resides on LAN 1, PC2 resides on LAN 2, and the FW serves as the NAT device. ESP packets are processed as follows:
When PC2 sends packets to PC1, the FW creates forward sessions after receiving the first ESP packet from PC2 and uses the first 16-bit SPI value fspi1 in the forward ESP packet as the source port and the last 16-bit SPI value fspi2 as the destination port. After NAT, both the source and destination ports are 0.
If no reverse packet is received within 3s after a forward ESP first packet is received, the forward session will be aged out. If a new forward ESP first packet is received during the period, the FW will refresh the session table.
When PC1 sends response packets to PC2, the FW receives reverse packets and preferentially uses the SPI value in the ESP packets as the port for session match. If a match is found, the session has been created, and the processing is normal. If no match is found, 0 shall be used as the port for forward session match and session table creation. The FW splits the SPI value in the 32-bit reverse ESP packet into two parts: The first 16-bit SPI value rspi1 is used as the destination port after NAT, and the last 16-bit SPI value rspi2 as the source port after NAT. In addition, the session table is updated.
