IKE and ESP ALG
Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) are a part of the IP Security (IPsec) protocol. IKE and ESP traffic is exchanged between the clients and the server. The IKE and ESP ALG helps in resolving the IPsec VPNs issues when the IPsec VPN passes through the device of which NAT is enabled.
Understanding the IKE and ESP ALG
An NFX Series or SRX Series Firewall can be used solely as a Network Address Translation (NAT) device when placed between VPN clients on the private side of the NAT gateway and the virtual private network (VPN) gateways on the public side.
Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.
If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required. If there are NAT-T capable clients, the user must enable the source NAT address persistence.
The ALG for IKE and ESP monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.
ALG for IKE and ESP traffic has been created and NAT has been enhanced to implement the following:
To enable the devices to pass IKE and ESP traffic with a source NAT pool
To allow the device to be configured to return the same NAT-generated IP address for the same IP address without NAT ("address-persistent NAT"). As a result, the device is able to associate a client's outgoing IKE traffic with its return traffic from the server, especially when the IKE session times out and needs to be reestablished.
The resulting ESP traffic between the client and the server is also allowed, especially in the direction from the server to the client.
The return ESP traffic matches the following:
The server IP address as source IP
The client IP address as destination IP
In SRX1400, SRX1500, SRX3400, SRX3600, SRX5600, or SRX5800 devices, IKE negotiations involving NAT traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500. (Platform support depends on the Junos OS release in your installation.)
Understanding IKE and ESP ALG Operation
Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic has the following behavior:
An IKE and ESP ALG monitors IKE traffic between the client and the server, and it permits only one IKE Phase 2 message exchange between the client and the server at any given time.
For a Phase 2 message:
If a Phase 2 message exchange between the client and server does not happen, the IKE ALG gates are opened for the relevant ESP traffic from the client to the server and from the server to the client.
If both IKE ALG gates are not opened successfully, or if the Phase 2 message exchange already took place, then the Phase 2 message is dropped.
When ESP traffic hits the IKE ALG gates, sessions are created to capture subsequent ESP traffic, and to perform the proper NATing (that is, the source IP address translation from the client to the server traffic and the destination IP address translation from the server to the client traffic).
When the ESP traffic does not hit either one or both of the gates, then the gates naturally time out.
Once the IKE ALG gates are collapsed or timed out, another IKE Phase 2 message exchange is permitted.
IKE NAT-T traffic on floating port 4500 is not processed in an IKE ALG. To support a mixture of NAT-T-capable and non-capable clients, you need to enable source NAT address persistent.
Example: Configuring the IKE and ESP ALG
This example shows how to configure the IKE and ESP ALG to pass through IKE and ESP traffic with a source NAT pool on Juniper Networks devices.
Requirements
Before you begin:
Configure proxy ARP for all IP addresses in the source NAT pool.
Understand the concepts behind IKE and ESP ALG. See Understanding IKE and ESP ALG Operation.
Overview
In this example, the ALG for IKE and ESP is configured to monitor and allow IKE and ESP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.
This example shows how to configure a source NAT pool and rule set, configure a custom application to support the IKE and ESP ALG, and associate this ALG to a policy.
If you want to support a mixture of NAT-traversal (NAT-T) capable clients and noncapable clients, you must enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address). You also must configure a custom IKE NAT traversal application to support the encapsulation of IKE and ESP in UDP port 4500. This configuration enables IKE and ESP to pass through the NAT-enabled device.
Topology
Configuration
- Configuring a NAT Source Pool and Rule Set
- Configuring a Custom Application and Associating it to a Policy
- Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable Clients
Configuring a NAT Source Pool and Rule Set
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32 set security zones security-zone green address-book address sa1 1.1.1.0/24 set security zones security-zone red address-book address da1 2.2.2.0/24 set security nat source rule-set rs1 from zone green set security nat source rule-set rs1 to zone red set security nat source rule-set rs1 rule r1 match source-address 1.1.1.0/24 set security nat source rule-set rs1 rule r1 match destination-address 2.2.2.0/24 set security nat source rule-set rs1 rule r1 then source-nat pool pool1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a source NAT pool:
Create a NAT source pool.
[edit ] user@host# set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32
Configure security zone address book entries.
[edit] user@host# set security zones security-zone green address-book address sa1 1.1.1.0/24 user@host# set security zones security-zone red address-book address da1 2.2.2.0/24
Create a NAT source rule set.
[edit security nat source rule-set rs1] user@host# set from zone green user@host# set to zone red user@host# set rule r1 match source-address 1.1.1.0/24 user@host# set rule r1 match destination-address 2.2.2.0/24 user@host# set rule r1 then source-nat pool pool1
Results
From configuration mode, confirm your configuration
by entering the show security nat command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
user@host# show security nat
source {
pool pool1 {
address {
10.10.10.1/32 to 10.10.10.10/32;
}
}
rule-set rs1 {
from zone green;
to zone red;
rule r1 {
match {
source-address 1.1.1.0/24;
destination-address 2.2.2.0/24;
}
then {
source-nat {
pool {
pool1;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Custom Application and Associating it to a Policy
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-alg set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a custom application and associate it to a policy:
Configure a custom application.
[edit] user@host# set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat
Associate the custom application to a policy.
[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-alg user@host# set then permit
Results
From configuration mode, confirm your configuration
by entering the show applications and show security
zones commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show applications
application custom-ike-alg {
application-protocol ike-esp-nat;
protocol udp;
source-port 500;
destination-port 500;
}
[edit]
user@host# show security zones
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone green {
address-book {
address sa1 1.1.1.0/24;
}
}
security-zone red {
address-book {
address da1 2.2.2.0/24;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable Clients
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat source address-persistent set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500 set security policies from-zone green to-zone red policy pol1 match source-address sa1 set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-natt set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IKE and ESP ALG support for both NAT-T capable and noncapable clients:
Globally enable persistent source NAT translation.
[edit] user@host# set security nat source address-persistent
Configure the IKE NAT-T application.
[edit] user@host# set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500
Associate the NAT-T application using a policy.
[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-natt user@host# set then permit
Results
From configuration mode, confirm your configuration
by entering the show security nat and show security
policies commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show security nat
source {
address-persistent;
}
[edit]
user@host# show security policies
from-zone green to-zone red {
policy pol1 {
match {
source-address sa1;
destination-address da1;
application [ custom-ike-alg custom-ike-natt ];
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying IKE and ESP ALG Custom Applications
Purpose
Verify that the custom applications to support the IKE and ESP ALG are enabled.
Action
From operational mode, enter the show security
alg status command.
user@host> show security alg status
ALG Status : DNS : Enabled FTP : Enabled H323 : Enabled MGCP : Enabled MSRPC : Enabled PPTP : Enabled RSH : Disabled RTSP : Enabled SCCP : Enabled SIP : Enabled SQL : Enabled SUNRPC : Enabled TALK : Enabled TFTP : Enabled IKE-ESP : Enabled
Meaning
The output shows the ALG status as follows:
Enabled—Shows the ALG is enabled.
Disabled—Shows the ALG is disabled.
Verifying the Security Polices of ALG
Purpose
Verify that the application custom IKE ALG and application custom IKE NATT are set.
Action
From operational mode, enter the show security
policies command.
user@host> show security policies
Default policy: permit-all From zone: green, To zone: red Policy: pol1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1 Source addresses: sa1 Destination addresses: da1 Applications: custom-ike-alg, custom-ike-natt Action: permit
Meaning
The sample output shows that custom IKE ALG and custom IKE NATT applications are set.
Example: Enabling the IKE and ESP ALG and Setting Timeouts
This example shows how to enable the IKE and ESP ALG and set the timeout values to allow time for the ALG to process ALG state information, ESP gates, and ESP sessions.
Requirements
Understand the concepts behind ALG for IKE and ESP. See Understanding IKE and ESP ALG Operation.
Overview
The IKE and ESP ALG processes all traffic specified in any policy to which the ALG is attached. In this example, you configure the set security alg ike-esp-nat enable statement so the current default IPsec pass-through behavior is disabled for all IPsec pass-through traffic, regardless of policy.
You then set the timeout values to allow time for the IKE and ESP ALG to process ALG state information, ESP gates, and ESP sessions. In this example, you set the timeout of ALG state information. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds. You then set the timeout of the ESP gates created after an IKE Phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds. Finally, you set the idle timeout of the ESP sessions created from the IPsec gates. If no traffic hits the session, it is aged out after this period of time. The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security alg ike-esp-nat enable set security alg ike-esp-nat esp-gate-timeout 20 set security alg ike-esp-nat esp-session-timeout 2400 set security alg ike-esp-nat state-timeout 360
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To enable the IKE and ESP ALG and set the timeout values:
Enable the IKE and ESP ALG.
[edit] user@host# set security alg ike-esp-nat enable
Set the timeout for the ALG state information.
[edit security alg ike-esp-nat] user@host# set state-timeout 360
Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.
[edit security alg ike-esp-nat] user@host# set esp-gate-timeout 20
Set the idle timeout for the ESP sessions created from the IPsec gates.
[edit security alg ike-esp-nat] user@host# set esp-session-timeout 2400
Results
From configuration mode, confirm your configuration
by entering the show security alg command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security alg
ike-esp-nat {
enable;
state-timeout 360;
esp-gate-timeout 20;
esp-session-timeout 2400;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks: