Description
This article explains how NAT Traversal and Twin connections in IPsec Tunnel are working.
Solution
In certain scenarios, when multiple DialUP client behind the same NAT IP will negotiate on same remote public IP address will cause twin connections.
The complete packet flow in figure 1.1 (without NAT Traversal enabled) is explained:
Note:
The FortiGate is a state-full firewall and based on this 5 tuples (source IP, destination IP, destination port, source port, protocol (“service” in the settings).
Firewall will maintain the session state.
Considering scenario, with 2 DialUP clients behind the NAT device, when client A and B will send the IKE negotiation packet:
1st client session info in the FortiGate:
IKE Debug log:
The Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable internet addresses and vice versa.
When an IP packet passes through a NAT device, the source or destination address in the IP header is modified.
FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number.
As a result, the packets cannot be demultiplexed.
To work around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT modifications.
When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number.
This extra encapsulation allows NAT devices to change the port number without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option must be enabled whenever a NAT device exists between two FortiGate VPN peers or a FortiGate unit and a DialUP client such as FortiClient.
On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.
Network: Packet flow with NAT-T enabled in IPsec.
When the FortiGate is behind NAT and NAT-T is detected, the router should maintain PAT table where source Port 4500 will be mapped with dynamic port.
For more Information on NAT-T with IPSec, refer to RFC 3947. https://tools.ietf.org/html/rfc3947
If Client A sends a packet, the packet have this form :
(Client A )
(Client B )
This article explains how NAT Traversal and Twin connections in IPsec Tunnel are working.
Solution
In certain scenarios, when multiple DialUP client behind the same NAT IP will negotiate on same remote public IP address will cause twin connections.
The complete packet flow in figure 1.1 (without NAT Traversal enabled) is explained:
Note:
The FortiGate is a state-full firewall and based on this 5 tuples (source IP, destination IP, destination port, source port, protocol (“service” in the settings).
Firewall will maintain the session state.
Considering scenario, with 2 DialUP clients behind the NAT device, when client A and B will send the IKE negotiation packet:
1st client session info in the FortiGate:
Source IP: 1.1.1.1 , Source port: 5002nd client session info in the FortiGate:
Destination IP: 2.2.2.2 , Destination port: 500
Protocol: UDP
Source IP: 1.1.1.1 , Source port: 500As both the source IP and source port are same, the FortiGate gives an error twin connections detected in IKE debug logs and deletes old connection (SA) & negotiation tunnel with new connection(SA) which will cause tunnel flapping issue between client A and B.
Destination IP: 2.2.2.2 , Destination port: 500
Protocol: UDP
IKE Debug log:
ike 1:YARD: adding new dynamic tunnel for 1.1.1.1:4500About NAT Traversal:
ike 1:YARD_1: added new dynamic tunnel for 1.1.1.1:4500
ike 1:YARD_1:966: established IKE SA b8856983d6799880/c0a7742f2eb1f993
ike 1:YARD_1: twin connections detected <----- Error.
ike 1:YARD_0: deleting
ike 1:YARD_0: flushing
ike 1:YARD_0:965: send IPsec SA delete, spi 95d5b0d1
The Network Address Translation (NAT) is a way to convert private IP addresses to publicly routable internet addresses and vice versa.
When an IP packet passes through a NAT device, the source or destination address in the IP header is modified.
FortiGate units support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and compatible versions.
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number.
As a result, the packets cannot be demultiplexed.
To work around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT modifications.
When the Nat-traversal option is enabled, outbound encrypted packets are wrapped inside a UDP IP header that contains a port number.
This extra encapsulation allows NAT devices to change the port number without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option must be enabled whenever a NAT device exists between two FortiGate VPN peers or a FortiGate unit and a DialUP client such as FortiClient.
On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.
Network: Packet flow with NAT-T enabled in IPsec.
For more Information on NAT-T with IPSec, refer to RFC 3947. https://tools.ietf.org/html/rfc3947
If Client A sends a packet, the packet have this form :
(Client A )
[src: 171.16.1.2 :4500 dst: 2.2.2.2:4500] <----- (router ) (PTable Sport:4500 mapped with 1000, Source NAT IP :1.1.1.1).If Client B sends a packet, the packet have this form:
[src: 1.1.1.1 :1000 dst: 2.2.2.2:4500] <----- router forward that packet towards FortiGate firewall.
(Client B )
[src: 171.16.1.3 :4500 dst: 2.2.2.2:4500] <----- (router ) (PTable Sport:4500 mapped with 1001, Source NAT IP :1.1.1.1).As source ports are different in the IKE packet, the FortiGate maintains two different sessions and connections(SA) for the same public IP which resolves the twin connections error.
[src: 1.1.1.1 :1002 dst: 2.2.2.2:4500] <----- router forward that packet towards FortiGate firewall.
