Watchguard Firebox Vclass User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Firebox Vclass User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
WatchGuard
®
Central Policy
Manager
Applications Guide
Central Policy Manager version 5.1
ii Central Policy Manager 5.1
Copyright
Copyright © 1998-2002 WatchGuard Technologies, Inc.
All rights reserved.
Notice to Users
Information in this document is subject to change and
revision without notice. This documentation and the software
described herein is subject to and may only be used and
copied as outlined in the Firebox System software end-user
license agreement. No part of this manual may be reproduced
by any means, electronic or mechanical, for any purpose
other than the purchaser’s personal use, without prior written
permission from WatchGuard Technologies, Inc.
TRADEMARK NOTES
WatchGuard and LiveSecurity are either trademarks or
registered trademarks of WatchGuard Technologies, Inc. in
the United States and other countries. Firebox, ServerLock,
DVCP, and Designing peace of mind are trademarks of
WatchGuard Technologies, Inc. All other trademarks or
trade names mentioned herein, if any, are the property of
their respective owners.
Part No: 1200016
Central Policy Manager Applications Guide iii
WatchGuard Technologies, Inc.
Firebox System Software
End-User License Agreement
WatchGuard Central Policy Manager (CPM) End-User
License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING
WATCHGUARD SOFTWARE:
This Central Policy Manager End-User License Agreement
('AGREEMENT') is a legal agreement between you (either an
individual or a single entity) and WatchGuard Technologies,
Inc. ('WATCHGUARD') for the WATCHGUARD optional
software product for the WatchGuard Firebox product you
have purchased, which includes computer software
components (whether installed separately on a computer
workstation or on the WATCHGUARD hardware product)
and may include associated media, printed materials, and on-
line or electronic documentation, and any updates or
modifications thereto, including those received through the
WatchGuard LiveSecurity Service (or its equivalent), (the '
OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is
willing to license the OPTIONAL SOFTWARE PRODUCT to
you only on the condition that you accept all of the terms
contained in this Agreement. Please read this Agreement
carefully. By installing, activating or using the OPTIONAL
SOFTWARE PRODUCT you agree to be bound by the terms
of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the
OPTIONAL SOFTWARE PRODUCT to you, and you will not
have any rights in the OPTIONAL SOFTWARE PRODUCT.
In that case, promptly return the OPTIONAL SOFTWARE
PRODUCT/license key certificate, along with proof of
payment, to the authorized dealer from whom you obtained
the OPTIONAL SOFTWARE PRODUCT/license key
certificate for a full refund of the price you paid.
iv Central Policy Manager 5.1
1. Ownership and License. The OPTIONAL SOFTWARE
PRODUCT is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws
and treaties. This is a license agreement and NOT an
agreement for sale. All title and copyrights in and to the
OPTIONAL SOFTWARE PRODUCT (including but not
limited to any images, photographs, animations, video,
audio, music, text, and applets incorporated into the
OPTIONAL SOFTWARE PRODUCT), the accompanying
printed materials, and any copies of the OPTIONAL
SOFTWARE PRODUCT are owned by WATCHGUARD or its
licensors. Your rights to use the OPTIONAL SOFTWARE
PRODUCT are as specified in this AGREEMENT, and
WATCHGUARD retains all rights not expressly granted to
you in this AGREEMENT. Nothing in this AGREEMENT
constitutes a waiver of our rights under U.S. copyright law or
any other law or treaty.
2. Permitted Uses. You are granted the following rights to
the OPTIONAL SOFTWARE PRODUCT:
(A) You may install and use the OPTIONAL SOFTWARE
PRODUCT on that number of WATCHGUARD hardware
products (or manage that number of WATCHGUARD
hardware products) at any one time as permitted in the
license key certificate that you have purchased and may
install and use the OPTIONAL SOFTWARE PRODUCT on
multiple workstation computers. You must also maintain a
current subscription to the WatchGuard LiveSecurity Service
(or its equivalent) for each additional WATCHGUARD
hardware product on which you will use a copy of an updated
or modified version of the OPTIONAL SOFTWARE
PRODUCT received through the WatchGuard LiveSecurity
Service (or its equivalent).
(B) To use the OPTIONAL SOFTWARE PRODUCT on more
WATCHGUARD hardware products than provided for in
Section 2(A), you must license additional copies of the
OPTIONAL SOFTWARE PRODUCT as required.
(C) In addition to the copies described in Section 2(A), you
may make a single copy of the OPTIONAL SOFTWARE
PRODUCT for backup or archival purposes only.
Central Policy Manager Applications Guide v
3. Prohibited Uses. You may not, without express written
permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the
OPTIONAL SOFTWARE PRODUCT or printed materials
except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the OPTIONAL
SOFTWARE PRODUCT (or allow someone else to use such a
copy) for any purpose other than to replace the original copy
in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the OPTIONAL
SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this
AGREEMENT, and
(iii) you do not retain any copies of the OPTIONAL
SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
OPTIONAL SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following
limited warranties for a period of ninety (90) days from the
date you obtained the OPTIONAL SOFTWARE PRODUCT
from WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from
defects in materials and workmanship under normal use. If
the disks or documentation fail to conform to this warranty,
you may, as your sole and exclusive remedy, obtain a
replacement free of charge if you return the defective disk or
documentation to us with a dated proof of purchase.
(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL
SOFTWARE PRODUCT will materially conform to the
documentation that accompanies it or its license key
certificate. If the OPTIONAL SOFTWARE PRODUCT fails
vi Central Policy Manager 5.1
to operate in accordance with this warranty, you may, as your
sole and exclusive remedy, return all of the OPTIONAL
SOFTWARE PRODUCT and the documentation to the
authorized dealer from whom you obtained it, along with a
dated proof of purchase, specifying the problems, and they
will provide you with a new version of the OPTIONAL
SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES,
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,
DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD AND ITS LICENSORS AND ALL OTHER
RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE
AGAINST WATCHGUARD AND ITS LICENSORS,
EXPRESS OR IMPLIED, ARISING BY LAW OR
OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE OPTIONAL
SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED
TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, ANY
IMPLIED WARRANTY ARISING FROM COURSE OF
PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT,
ANY WARRANTY THAT THE OPTIONAL SOFTWARE
PRODUCT WILL MEET YOUR REQUIREMENTS, ANY
WARRANTY OF UNINTERRUPTED OR ERROR-FREE
OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,
CLAIM OR REMEDY IN TORT, WHETHER OR NOT
ARISING FROM THE NEGLIGENCE (WHETHER
ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF
WATCHGUARD AND ITS LICENSORS AND ANY
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE
PRODUCT).
Central Policy Manager Applications Guide vii
Limitation of Liability. WATCHGUARD'S LIABILITY
(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND
NOTWITHSTANDING ANY FAULT, NEGLIGENCE,
STRICT LIABILITY OR PRODUCT LIABILITY) WITH
REGARD TO THE OPTIONAL SOFTWARE PRODUCT
WILL IN NO EVENT EXCEED THE PURCHASE PRICE
PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY. IN NO EVENT WILL WATCHGUARD
BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER
ARISING IN CONTRACT (INCLUDING WARRANTY),
TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED
NEGLIGENCE AND STRICT LIABILITY AND FAULT),
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT
LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING OUT OF OR IN CONNECTION
WITH THIS WARRANTY OR THE USE OF OR INABILITY
TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF
WATCHGUARD HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE
TRUE EVEN IN THE EVENT OF THE FAILURE OF AN
AGREED REMEDY.
5.United States Government Restricted Rights. The
OPTIONAL SOFTWARE PRODUCT is provided with
Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is
subject to restrictions as set forth in subdivision (c)(1)(ii) of
the Rights in Technical Data and Computer Software clause
at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of
the Commercial Computer Software -- Restricted Rights
Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer
is WatchGuard Technologies, Inc., 505 5th Ave. South,
Suite 500, Seattle, WA 98104.
6.Export Controls. You agree not to directly or indirectly
transfer the OPTIONAL SOFTWARE PRODUCT or
viii Central Policy Manager 5.1
documentation to any country to which such transfer would
be prohibited by the U.S. Export Administration Act and the
regulations issued thereunder.
7.Termination. This license and your right to use the
SOFTWARE PRODUCT will automatically terminate if you
fail to comply with any provisions of this AGREEMENT,
destroy all copies of the OPTIONAL SOFTWARE PRODUCT
in your possession, or voluntarily return the OPTIONAL
SOFTWARE PRODUCT to WATCHGUARD. Upon
termination you will destroy all copies of the OPTIONAL
SOFTWARE PRODUCT and documentation remaining in
your control or possession.
8.Miscellaneous Provisions. This AGREEMENT will be
governed by and construed in accordance with the
substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale
of Goods, as amended. This is the entire AGREEMENT
between us relating to the OPTIONAL SOFTWARE
PRODUCT, and supersedes any prior purchase order,
communications, advertising or representations concerning
the OPTIONAL SOFTWARE PRODUCT AND BY USING
THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO
THESE TERMS. IF THE SOFTWARE PRODUCT IS
BEING USED BY AN ENTITY, THE INDIVIDUAL
INDICATING AGREEMENT TO THESE TERMS
REPRESENTS AND WARRANTS THAT (A) SUCH
INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS
AGREEMENT ON BEHALF OF THE ENTITY AND TO
BIND THE ENTITY TO THE TERMS OF THIS
AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,
CORPORATE OR OTHERWISE, TO ENTER INTO THIS
AGREEMENT AND PERFORM ITS OBLIGATIONS
UNDER THIS AGREEMENT AND; (C) THIS
AGREEMENT AND THE PERFORMANCE OF THE
ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO
NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO
WHICH THE ENTITY IS A PARTY. No change or
modification of this AGREEMENT will be valid unless it is in
writing and is signed by WATCHGUARD.
Central Policy Manager Applications Guide ix
Contents
CHAPTER 1 Creating an IPSec Manual Key Policy .......1
Creating a New IPSec Manual Key Policy ...........................1
Entering the traffic specifications ......................................2
Selecting the action .......................................................2
Making this policy bidirectional ........................................2
Creating a Custom IPSec Action ........................................3
Configuring ESP protocols ..............................................4
Configuring AH protocol .................................................6
Completing this action ...................................................6
CHAPTER 2 Editing IKE Proposals and Pairs ................7
NAT Traversal (UDP Encapsulation) ...................................8
Selecting an Existing IKE Pair Setting .................................9
Creating a New IKE Proposal ..........................................10
Entering a single transform ............................................12
Entering more than one transform ..................................13
Changing the Authentication Process ..............................16
Using symmetric certificate matching rules .......................17
Using asymmetric certificate matching rules ......................18
Defining a custom preshared key ....................................18
x Central Policy Manager 5.1
CHAPTER 3 CPM Scheduler ......................................... 21
Batch Operations .......................................................... 21
Scheduling Batch Operations ......................................... 22
Deleting Batch Operations ............................................. 30
Stopping Batch Operations ............................................ 31
Why stop a batch operation? ........................................ 31
Scheduler Views ............................................................ 32
Batch View ................................................................ 33
Appliance View .......................................................... 34
CHAPTER 4 Creating Policies for Multi-Tenant Virtual
User Domains ............................................. 35
Creating policies for VLAN tenants ................................ 36
The advantages of a VLAN ........................................... 37
Inserting VLAN tenant security policies ........................... 38
Routing VLAN traffic through a WatchGuard appliance ....... 40
Note: Using a Firebox Vclass appliance in a VLAN setting ... 41
Creating policies for user-domain tenants ........................ 42
Inserting user domain tenant security policies .................. 42
Additional information ................................................. 43
An example of a user-domain policy in use ...................... 43
An overview of user-domain tenant authentication ........... 44
Inserting user domain tenant security policies .................. 45
How a user domain tenant makes a connection ............... 45
Activating the Firebox Vclass “authenticate with certificates”
feature
................................................................. 46
Importing a VPN certificate into a user’s Web browser ........ 47
CHAPTER 5 Defining Alarms ....................................... 49
About Built-in Alarms ..................................................... 49
About Probe Counters ................................................... 50
About Overriding Alarms ............................................... 51
Creating a New Alarm .................................................... 51
Adding system probe counters ...................................... 54
Adding VPN peer probe counters ................................. 56
Adding Interface probe counters ................................... 57
Central Policy Manager Applications Guide xi
Completing the alarm definition .....................................59
CHAPTER 6 Setting up and Managing Log Files ........61
Types of Logs .................................................................61
Log Size and Rollover .....................................................62
Viewing the CPM Log .....................................................63
Viewing the Logs for Specific Appliances .........................64
Revising Log Settings for an Appliance ............................64
Managing a Large Number of Log Entries ........................66
Changing the number of log entries per page ...................66
Filtering the contents of a log ........................................67
Creating a cumulative set of filters ..................................68
Archiving Log Files .........................................................68
CHAPTER 7 Maintaining Appliances ............................71
About the Shortcut Menu ...............................................71
Remotely Restarting an Appliance ...................................72
Remotely Shutting Down an Appliance ............................73
Restoring an Appliance to the Factory Default State .........73
Archiving an Appliance’s Profile as an XML File ................74
Synchronizing an Appliance’s Clock with CPM Server ........75
CHAPTER 8 Special Topics ............................................77
Installing CPM Server on a Solaris host ............................77
Backing up the CPM Database ........................................78
Restoring an Archived CPM Server Database ...................80
CHAPTER 9 Case Studies .............................................83
Dynamic NAT Firewall Policy ...........................................83
Policy (“dnat_access”) ..................................................83
QoS Actions ..................................................................84
Example 1: .................................................................84
Example 2: .................................................................85
VLAN in WatchGuard appliances .....................................86
Tunnel Switching Between Remote Sites ..........................87
Adding a new site .......................................................89
xii Central Policy Manager 5.1
CHAPTER 10 About the CPM Configuration Files ...... 91
CPM Server Config file ................................................... 91
Additional parameters ................................................. 95
CPM Client Config file ................................................... 97
CHAPTER 11 Real-time Monitor Probe Counters ........ 99
System Counters ........................................................... 99
Aggregate counters for all VPN end-point pairs ............. 105
IPSec counters per VPN end-point pair ........................ 106
Policy counters per policy ............................................ 107
Policy counters for all policies ....................................... 108
Interface counters ........................................................ 109
Central Policy Manager Applications Guide 1
CHAPTER 1 Creating an IPSec
Manual Key Policy
This chapter describes the process of creating a VPN
policy that uses a manual key. Initially, you must cre-
ate a set of manual key IPSec actions for use in your
policies. Critical parts of these actions include the
required security protocols, the preferred algorithms
for each, the manual key text for use with each proto-
col, and the local and peer SPI values for the two
appliances.
Note that manual key VPN policies cannot be applied
to more than two appliances.
Creating a New IPSec Manual Key Policy
To create a policy that establishes a bi-directional man-
ual-key VPN connection between two appliances, fol-
low these steps. You do not need to create a separate
policy for each direction of data traffic. You can apply
bidirectionality to a single unidirectional policy to
activate traffic in both directions.
CHAPTER 1: Creating an IPSec Manual Key Policy
2 Central Policy Manager 5.1
Entering the traffic specifications
1 Create a new policy row.
2 Drag-and-drop an address entry that represents the
private network of one of the two appliances into the
Source cell.
If you are creating a bidirectional VPN policy, you can drag
either address entry into the Source or Destination cells.
3 Drag-and-drop the address entry representing the
private network of the second appliance into the
Destination cell.
4 If you don’t want to use “ANY”, drag-and-drop the
relevant services from the Services tab into the policy
row Service cell.
Selecting the action
1 Open the IPSec Action tab and drag-and-drop the
appropriate manual key action into the Action cell.
CPM does not include any default manual-key IPSec actions. You
must create these actions before creating manual key policies.
For more information, see “Creating a Custom IPSec Action,”
below.
2 If necessary, open the Schedule tab and drag a
schedule entry into the Schedule cell.
If the Schedule cell does not appear in the policy row, select View
=> Show Columns => Schedule.
Making this policy bidirectional
1 Reopen the Policies tab, if it is not visible.
2 In the newly created policy, right-click the newly
added IPSec action, or the Action cell.
3 Select Bi-Directional to apply bidirectionality to this
IPSec action and the policy.
Creating a Custom IPSec Action
Central Policy Manager Applications Guide 3
Creating a Custom IPSec Action
If you find the default IPSec actions insufficient for your
particular network requirements, you can create and cus-
tomize your own IPSec action. These actions are usable in
as many policies as you want to apply them to:
1 Click the Configuration Editor window’s IPSec Action
tab.
2 Click the Create a New Object icon (shown at
right) and select New Manual IPSec from the
menu.
The IPSec Action dialog box appears, with its features
distributed into two tabs: General and Manual.
3 In the General tab (open by default) in the Name field,
type a name for this new action.
The name can consist of numbers, letters, hyphens (-), and
underscore (_) characters.
4 From the Mode menu, select either Tunnel or
Transport.
If you select Tunnel, this policy prompts the Firebox
Vclass appliance to hide any information about the
original sender of data. This option is preferred for site-
CHAPTER 1: Creating an IPSec Manual Key Policy
4 Central Policy Manager 5.1
to-site connections, in which the traffic goes through
the Firebox Vclass appliance.
If you select Transport, no additional identity masking
is applied. This option is recommended for use in
secured communication directed to either Firebox
Vclass appliance, such as SNMP traffic.
5 Click the Manual tab.
6 In both Local SPI and Peer SPI fields, type a different
unique number (between 256 and 65535) in each field.
The Local SPI entry is used to identify the key stored in the
source security appliance, while the Peer SPI entry identifies the
key used by the destination appliance. If you are activating
bidirectionality, you can enter the numbers arbitrarily, in either
field.
7 If you want to type the key text in hexadecimal
notation, select the checkbox marked use Hex.
Configuring ESP protocols
1 From the ESP Encrypt Alg menu, select the option you
want.
Creating a Custom IPSec Action
Central Policy Manager Applications Guide 5
2 Click Enter Key.
The ESP Encryption Key dialog box appears, listing a default key
composed of a randomly generated series of numbers.
3 If you want to type the key text in hexadecimal
notation, click by Hex.
4 In the Key field, enter the key.
You can accept the default, CPM-generated key text by clicking
OK.
5 Click OK to save the new key entry and close the ESP
Encryption Key dialog box.
6 When the Select IPSec dialog box’s Manual tab
reappears, open the ESP Hash Alg menu and select the
option you want.
7 Click Enter Key (to the right of the ESP Hash Alg
menu.)
The ESP Hash Key dialog box appears, listing a default key that
incorporates a randomly generated series of numbers.
8 If you want to type the key text in hexadecimal
notation, click by Hex.
9 In the Key field, enter the key.
You can accept the default, CPM-generated key text by clicking
OK.
10 Click OK to save the key entry and close this dialog
box.
CHAPTER 1: Creating an IPSec Manual Key Policy
6 Central Policy Manager 5.1
Configuring AH protocol
1 Click the Authentication Protocol checkbox.
2 Open the Hash Alg menu and select the option you
want.
3 Click Enter Key (to the right of the AH Hash Alg
menu.)
The AH Hash Key dialog box appears, listing a default key that
incorporates a randomly generated series of numbers.
4 If you want to type the key text in hexadecimal
notation, click by Hex.
5 In the Key field, enter the text of the key.
You can accept the default, CPM-generated key text by clicking
OK.
6 Click OK to save the key entry.
The IPSec Action dialog box reappears.
Completing this action
You can now save your new action entries and then select
this action for use in the policy.
1 To save your manual IPSec action entries, click OK.
2 You can now add this action to any new or existing
policies.
Central Policy Manager Applications Guide 7
CHAPTER 2 Editing IKE
Proposals and Pairs
Every time an automatic key IPSec action is applied to
a policy, CPM automatically generates an IKE pro-
posal that is used by the security appliances affected
by that policy. The default IKE proposals will meet the
majority of your needs. However, you can use CPM to
customize an existing proposal or create a new pro-
posal. This is especially useful if you are establishing
VPN tunnels between a Firebox Vclass appliance and
a “foreign” appliance that has its own internal pro-
posal structure.
You can also review and modify the settings for both
existing IKE pairs that are used in automatic key IKE
exchanges.
Before you can select or revise the IKE proposals for a
specific pair of peers, the following conditions must be
in effect:
Each peer security appliance must be listed in the
Configuration Editor window and currently
visible to CPM by a live connection.
CHAPTER 2: Editing IKE Proposals and Pairs
8 Central Policy Manager 5.1
All relevant pairings of security appliances (“peers”)
must be recorded in CPM as peer pairs in the
Configuration Editor window IKE Pairs tab.
If third-party authentication is to be used, the
certificates must have already been imported to the
security appliances.
NAT Traversal (UDP Encapsulation)
A problem occurs with IPSec-encrypted packets crossing
NAT devices. The IPsec authentication header (AH) pro-
tects entire IP packets, including IP headers, from modifi-
cation. NAT modifies the IP header, causing an inherent
incompatibility. The IPsec Encapsulating Security Payload
(ESP) encrypts IP packets. NAT cannot modify TCP and
UDP ports when these values are encrypted. NAT is there-
fore incompatible with ESP.
The solution for this problem is UDP encapsulation, or NAT
traversal. UDP encapsulation wraps an IPsec packet inside a
UDP/IP header. This allows NAT to function, without
modifying the encapsulated IPsec packet.
Figure 3: UDP Encapsulation
Encapsulation requires “decapsulation.” ESP-wrapped
packets are exchanged between IKE peers: gateway-to-
gateway, client-to-gateway, and client-to-client. Peers must
support the same method of UDP ESP encapsulation.
NAT traversal is enabled per IKE policy. It is not a global
setting. If NAT traversal is enabled for an IKE policy, and
an IKE peer has NAT traversal capability but the peer’s
Original
IP Header
UDP
Header
Zero
Pad
ESP
Header
TCP/UDP Original Payload ESP Trail ESP Auth
Encrypted
Authenticated
/