SonicWall IKE VPN negotiations, UDP Ports and NAT-Traversal explanation

12/20/2019 1,228 People found this article helpful 509,087 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

SonicWall IKE VPN negotiations, UDP Ports and NAT-Traversal explanation

Resolution

Traffic on UDP port 500 is used for the start of all IKE negotiations between VPN peers.  This is true of all IPSec platforms.  In some cases, UDP port 4500 is also used.  This technote will explain when and why.

It is becoming more common for VPN gateway devices or computers running VPN software to negotiate IKE while passing through a third-party NAT device.  This means the device is using a private IP address on its WAN, or the computer is using a private IP address.  NAT-Traversal makes VPN access possible, even through a third-party NAT device that does not allow passage of true IPSec traffic (aka, ESP or IP Protocol #50).  The NAT devices run by corporations, and by providers of Internet access in public places usually must allow UDP traffic of any type.  The NAT-Traversal found in most modern VPN platforms takes advantage of that by allowing the two sides of a VPN to agree to encapsulate their secure traffic inside UDP. 

NAT Traversal has had many versions, and years ago, interoperability was difficult.  Fortunately, it’s now a standard that most vendors have followed well for years.  Its initial version was standardized for IKE version 1 - http://tools.ietf.org/html/rfc3947 - and was updated w/ IKEv2: http://tools.ietf.org/html/rfc4306

UDP port 500 is used for IKE all the way through

•  When there is no NAT between the two peers (both peers have public IP addresses on their WANs)

                                                                                               or

•  When there is a NAT between the two peers, but one or both sides doesn’t support the official NAT-Traversal standard

UDP port 4500 is used for IKE and then for encapsulating ESP data

when three conditions are met:

1. When there is a NAT between the two peers.
2. when both peers are fully compliant with the official NAT-Traversal standard.
3. After both peers agree to do NAT-Traversal in the initial part of IKE negotiations over UDP port 500.

Please see the following IKE Log examples below:

• Example 1.  TZ170W log as initiates IKE Aggressive Mode to NSA-2400.
• Example 2.  NSA-2400 log as it responds to TZ170W IKE Aggressive Mode in #1.
• Example 3. TZ170W log as initiates IKEV2 to NSA-2400.

EXAMPLE1:The below log excerpt is from a TZ170W running SonicOS Enhanced 3.2.3.0, with a WAN IP of 10.50.22.57 initiating an IKE Aggressive Mode VPN with a NSA-2400 running SonicOS Enhanced 5.0.2.0_17o, with a WAN IP of 67.115.118.184.

12 07/24/2008 17:28:55.448 Info VPN IKE IKE Initiator: Start Aggressive Mode negotiation (Phase 1) 10.50.22.57, 500 67.115.118.184, 500 VPN Policy: NSA2400 

13 07/24/2008 17:28:55.896 Debug VPN IKE SENDING>>>> ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, KE, NON, ID, VID, VID, VID, VID, VID, VID, VID, VID) 10.50.22.57, 500 67.115.118.184, 500   

14 07/24/2008 17:28:56.112 Debug VPN IKE RECEIVED<<< ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x0) (SA, KE, NON, ID, NOTIFY:SONICWALL_MTU, VID, VID, VID, NATD, NATD, VID, VID, HASH) 67.115.118.184, 500 10.50.22.57, 500   

15 07/24/2008 17:28:56.704 Info VPN IKE NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device      

16 07/24/2008 17:28:56.704 Info VPN IKE IKE Initiator: Aggressive Mode complete (Phase 1). 10.50.22.57, 500 67.115.118.184, 500 VPN Policy: NSA2400;3DES; SHA1; DH Group 5; lifetime=600 secs 

17 07/24/2008 17:28:56.704 Debug VPN IKE SENDING>>>> ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x0) *(NOTIFY:SONICWALL_MTU, NATD, NATD, HASH) 10.50.22.57, 4500 67.115.118.184, 4500   

18 07/24/2008 17:28:56.704 Debug VPN IKE SENDING>>>> ISAKMP OAK INFO (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x64E650E1) *(HASH, NOTIFY:INITIAL_CONTACT) 10.50.22.57, 4500 67.115.118.184, 4500   

19 07/24/2008 17:28:56.720 Debug VPN IKE RECEIVED<<< ISAKMP OAK INFO (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xF7820547) *(HASH, NOTIFY:INITIAL_CONTACT) 67.115.118.184, 4500 10.50.22.57, 4500   

20 07/24/2008 17:28:58.688 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 10.50.22.57, 4500 67.115.118.184, 4500 VPN Policy: NSA2400 

21 07/24/2008 17:28:58.912 Debug VPN IKE SENDING>>>> ISAKMP OAK QM (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xE4AAC7F1) *(HASH, SA, NON, KE, ID, ID) 10.50.22.57, 4500 67.115.118.184, 4500   

22 07/24/2008 17:28:59.080 Debug VPN IKE RECEIVED<<< ISAKMP OAK QM (InitCookie:0x5f16908f16ba7509 RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xE4AAC7F1) *(HASH, SA, NON, KE, ID, ID) 67.115.118.184, 4500 10.50.22.57, 4500   

23 07/24/2008 17:28:59.384 Info VPN IKE IKE Initiator: Accepting IPSec proposal (Phase 2) 10.50.22.57, 4500 67.115.118.184, 4500 VPN Policy: NSA2400; Local network 172.17.1.0 / 255.255.255.0; Remote network 192.168.24.0/255.255.255.0 

24 07/24/2008 17:28:59.384 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 10.50.22.57, 4500 67.115.118.184, 4500 VPN Policy: NSA2400; ESP:3DES; HMAC_SHA1; Group 5; Lifetime=600 secs; inSPI:e87487f0; outSPI:e0581137

EXAMPLE2: The below log excerpt is from a NSA-2400 responding to the same IKE Aggressive Mode VPN seen above, initiated from a TZ 170W.

3 07/24/2008 17:28:56.016 Debug VPN IKE RECEIVED<<< ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509

RespCookie:0x0000000000000000, MsgID: 0x0) (SA, KE, NON, ID, VID, VID, VID, VID, VID, VID, VID, VID) 67.115.118.5, 63552 (admin) 67.115.118.184, 500 

4 07/24/2008 17:28:56.016 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 67.115.118.5, 63552 (admin) 67.115.118.184, 500

5 07/24/2008 17:28:56.128 Debug VPN IKE SENDING>>>> ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x0) (SA, KE, NON, ID, NOTIFY: SONICWALL_MTU, VID, VID, VID, NATD, NATD, VID, VID, HASH) 67.115.118.184, 500 67.115.118.5, 63552 VPN Policy: TZ170W

6 07/24/2008 17:28:56.768 Debug VPN IKE RECEIVED<<< ISAKMP OAK AG (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x0) *(NOTIFY: SONICWALL_MTU, NATD, NATD, HASH) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W

7 07/24/2008 17:28:56.768 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device   

8 07/24/2008 17:28:56.768 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W;3DES; SHA1; DH Group 5; lifetime=600 secs

9 07/24/2008 17:28:56.768 Debug VPN IKE SENDING>>>> ISAKMP OAK INFO (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xF7820547) *(HASH, NOTIFY: INITIAL_CONTACT) 67.115.118.184, 4500 67.115.118.5, 63567 VPN Policy: TZ170W

10 07/24/2008 17:28:56.768 Debug VPN IKE RECEIVED<<< ISAKMP OAK INFO (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0x64E650E1) *(HASH, NOTIFY: INITIAL_CONTACT) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W

11 07/24/2008 17:28:59.016 Info VPN IKE IKE Responder: Received Quick Mode Request (Phase 2) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W

12 07/24/2008 17:28:59.016 Debug VPN IKE RECEIVED<<< ISAKMP OAK QM (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xE4AAC7F1) *(HASH, SA, NON, KE, ID, ID) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W

13 07/24/2008 17:28:59.112 Debug VPN IKE SENDING>>>> ISAKMP OAK QM (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xE4AAC7F1) *(HASH, SA, NON, KE, ID, ID) 67.115.118.184, 4500 67.115.118.5, 63567 VPN Policy: TZ170W

14 07/24/2008 17:28:59.432 Debug VPN IKE RECEIVED<<< ISAKMP OAK QM (InitCookie:0x5f16908f16ba7509

RespCookie:0x9a32b92f6bf6dfeb, MsgID: 0xE4AAC7F1) *(HASH) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W

15 07/24/2008 17:28:59.432 Info VPN IKE IKE Responder: Accepting IPSec proposal (Phase 2) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W; Local network 192.168.24.0 / 255.255.255.0; Remote network 172.17.1.0/255.255.255.0

16 07/24/2008 17:28:59.432 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 67.115.118.5, 63567 (admin) 67.115.118.184, 4500 VPN Policy: TZ170W; ESP:3DES; HMAC_SHA1; Group 5; Lifetime=600 secs; inSPI:0xe0581137; outSPI:0xe87487f0

EXAMPLE3:The below log excerpt is from a TZ170W running SonicOS Enhanced 3.2.3.0, with a WAN IP of 10.50.22.57 initiating an IKEv2 VPN with a NSA-2400 running SonicOS Enhanced 5.0.2.0_17o, with a WAN IP of 67.115.118.184.

05/08/2008 17:14:37.768 - Info - VPN IKE -      IKEv2 Initiator: Send IKE_SA_INIT request -        10.50.22.57, 500 -   67.115.118.184, 500 -      VPN Policy: NSA2400;

05/08/2008 17:14:37.816 - Info - VPN IKE -      IKEv2 Initiator: Received IKE_SA_INT response -        67.115.118.184, 500 -      10.50.22.57, 500 - 

05/08/2008 17:14:37.816 - Info - VPN IKE -      IKEv2 Accept IKE SA Proposal -    10.50.22.57, 500 -        67.115.118.184, 500 -      VPN Policy: NSA2400; 3DES; HMAC_SHA1_96; DH Group  2; IKEv2 InitSPI: 0xe470b2b8b330c831; IKEv2 RespSPI: 0xcad62632886b63fa

05/08/2008 17:14:37.928 - Info - VPN IKE -      IKEv2 NAT device detected between negotiating peers -        10.50.22.57, 500 -   67.115.118.184, 500 -      VPN Policy: NSA2400; Local gateway is behind a NAT device2008 17:14:37.928 - Info - VPN IKE -      IKEv2 Initiator: Send IKE_AUTH request -        10.50.22.57, 4500 - 67.115.118.184, 4500 -     VPN Policy: NSA2400;

05/08/2008 17:14:37.928 - Info - VPN IKE -      IKEv2 Initiator: Received IKE_AUTH response -        10.50.22.57, 4500 - 67.115.118.184, 4500 -     VPN Policy: NSA2400;

05/08/2008 17:14:37.928 - Info - VPN IKE -      IKEv2 Authentication successful - 10.50.22.57, 4500 -        67.115.118.184, 4500 -     VPN Policy: NSA2400;

05/08/2008 17:14:37.928 - Info - VPN IKE -      IKEv2 Accept IPsec SA Proposal - 10.50.22.57, 4500 -        67.115.118.184, 4500 -     VPN Policy: NSA2400; ESP; 3DES; HMAC_SHA1_96;

Related Articles

• How to Block Google QUIC Protocol on SonicOSX 7.0?
• How to block certain Keywords on SonicOSX 7.0?
• How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation

Categories

• Firewalls > NSa Series > VPN
• Firewalls > TZ Series > VPN
• Firewalls > NSv Series > VPN