Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IKE and ESP ALG

 

Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) are a part of the IP Security (IPsec) protocol. IKE and ESP traffic is exchanged between the clients and the server. The IKE and ESP ALG helps in resolving the IPsec VPNs issues when the IPsec VPN passes through the device of which NAT is enabled.

Understanding the IKE and ESP ALG

An NFX Series or SRX Series device can be used solely as a Network Address Translation (NAT) device when placed between VPN clients on the private side of the NAT gateway and the virtual private network (VPN) gateways on the public side.

Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.

Note

If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required. If there are NAT-T capable clients, the user must enable the source NAT address persistence.

The ALG for IKE and ESP monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.

ALG for IKE and ESP traffic has been created and NAT has been enhanced to implement the following:

  • To enable the devices to pass IKE and ESP traffic with a source NAT pool

  • To allow the device to be configured to return the same NAT-generated IP address for the same IP address without NAT ("address-persistent NAT"). As a result, the device is able to associate a client's outgoing IKE traffic with its return traffic from the server, especially when the IKE session times out and needs to be reestablished.

  • The resulting ESP traffic between the client and the server is also allowed, especially in the direction from the server to the client.

  • The return ESP traffic matches the following:

    • The server IP address as source IP

    • The client IP address as destination IP

Note

In SRX1400, SRX1500, SRX3400, SRX3600, SRX5600, or SRX5800 devices, IKE negotiations involving NAT traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500. (Platform support depends on the Junos OS release in your installation.)

Understanding IKE and ESP ALG Operation

Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic has the following behavior:

  • An IKE and ESP ALG monitors IKE traffic between the client and the server, and it permits only one IKE Phase 2 message exchange between the client and the server at any given time.

  • For a Phase 2 message:

    • If a Phase 2 message exchange between the client and server does not happen, the IKE ALG gates are opened for the relevant ESP traffic from the client to the server and from the server to the client.

    • If both IKE ALG gates are not opened successfully, or if the Phase 2 message exchange already took place, then the Phase 2 message is dropped.

  • When ESP traffic hits the IKE ALG gates, sessions are created to capture subsequent ESP traffic, and to perform the proper NATing (that is, the source IP address translation from the client to the server traffic and the destination IP address translation from the server to the client traffic).

  • When the ESP traffic does not hit either one or both of the gates, then the gates naturally time out.

  • Once the IKE ALG gates are collapsed or timed out, another IKE Phase 2 message exchange is permitted.

  • IKE NAT-T traffic on floating port 4500 is not processed in an IKE ALG. To support a mixture of NAT-T-capable and non-capable clients, you need to enable source NAT address persistent.

Example: Configuring the IKE and ESP ALG

This example shows how to configure the IKE and ESP ALG to pass through IKE and ESP traffic with a source NAT pool on Juniper Networks devices.

Requirements

Before you begin:

Overview

In this example, the ALG for IKE and ESP is configured to monitor and allow IKE and ESP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.

This example shows how to configure a source NAT pool and rule set, configure a custom application to support the IKE and ESP ALG, and associate this ALG to a policy.

If you want to support a mixture of NAT-traversal (NAT-T) capable clients and noncapable clients, you must enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address). You also must configure a custom IKE NAT traversal application to support the encapsulation of IKE and ESP in UDP port 4500. This configuration enables IKE and ESP to pass through the NAT-enabled device.

Configuration

Configuring a NAT Source Pool and Rule Set

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool:

  1. Create a NAT source pool.
  2. Configure security zone address book entries.
  3. Create a NAT source rule set.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring a Custom Application and Associating it to a Policy

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a custom application and associate it to a policy:

  1. Configure a custom application.
  2. Associate the custom application to a policy.

Results

From configuration mode, confirm your configuration by entering the show applications and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable Clients

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IKE and ESP ALG support for both NAT-T capable and noncapable clients:

  1. Globally enable persistent source NAT translation.
  2. Configure the IKE NAT-T application.
  3. Associate the NAT-T application using a policy.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying IKE and ESP ALG Custom Applications

Purpose

Verify that the custom applications to support the IKE and ESP ALG are enabled.

Action

From operational mode, enter the show security alg status command.

Meaning

The output shows the ALG status as follows:

  • Enabled—Shows the ALG is enabled.

  • Disabled—Shows the ALG is disabled.

Verifying the Security Polices of ALG

Purpose

Verify that the application custom IKE ALG and application custom IKE NATT are set.

Action

From operational mode, enter the show security policies command.

Meaning

The sample output shows that custom IKE ALG and custom IKE NATT applications are set.

Example: Enabling the IKE and ESP ALG and Setting Timeouts

This example shows how to enable the IKE and ESP ALG and set the timeout values to allow time for the ALG to process ALG state information, ESP gates, and ESP sessions.

Requirements

Understand the concepts behind ALG for IKE and ESP. See Understanding IKE and ESP ALG Operation.

Overview

The IKE and ESP ALG processes all traffic specified in any policy to which the ALG is attached. In this example, you configure the set security alg ike-esp-nat enable statement so the current default IPsec pass-through behavior is disabled for all IPsec pass-through traffic, regardless of policy.

You then set the timeout values to allow time for the IKE and ESP ALG to process ALG state information, ESP gates, and ESP sessions. In this example, you set the timeout of ALG state information. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds. You then set the timeout of the ESP gates created after an IKE Phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds. Finally, you set the idle timeout of the ESP sessions created from the IPsec gates. If no traffic hits the session, it is aged out after this period of time. The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To enable the IKE and ESP ALG and set the timeout values:

  1. Enable the IKE and ESP ALG.
  2. Set the timeout for the ALG state information.
  3. Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.
  4. Set the idle timeout for the ESP sessions created from the IPsec gates.

Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the ALG for IKE and ESP and Timeout Settings

Purpose

Verify that the ALG for IKE and ESP is enabled and the timeout settings for this feature are correct.

Action

From operational mode, enter the show security alg ike-esp-nat command.

Related Documentation