NAT traversal for IPsec

Network Address Translator (NAT) is a technology that is used for allowing multiple computers in the network to share a single public IP address for accessing the Internet. The basic reason for NAT usage is the limited number of IPv4 addresses. NAT is widely used in the current networks where it is also used as cloaking service for computers in internal network, since all computers behind the NAT router are hidden from external networks i.e. Internet. In the same time, this may cause connectivity problems (e.g. P2P) for terminals and applications since connections to outside has only one public IP address depending on the mode how NAT is handling the address translation. Therefore, in order to guarantee smooth and feasible traffic pass-through, several NAT traversal mechanisms has been designed and deployed. IPsec is a security protocol that is used for securing the IP (L3) level traffic. The key functionality of IPSec is to protect the confidentiality of the data, assure the authenticity of the sender, and the integrity of the data that it has not been changed in transition. Internet Key Exchange (IKE) protocol uses IPsec for embedding the IP address of sending computer into its payload. When the IKE packet that contains the embedded IPsec address is sent through NAT, the sender IP address is changed to match the address of NAT box. Therefore, when the receiver notifies that the IP address of the IKE packet do not match to sender’s original IP address, it drops the packet. The key problem of NAT with IPsec is that NAT must change information in the packet headers in order to perform the packet pass-through. This feature in NAT causes a conflict with IPsec, and the packets will be dropped. This paper discusses of existing method related to IPsec NAT traversal and the problematics regarding the IPsec NAT traversal. The goal of this paper is to present the mainstream solution how to provide NAT traversal for IPsec.