Application Layer Gateway for IPSec Protocol

If communication between two network devices (for example, client and server) uses the IPSec protocol, IKE traffic (which is over UDP) uses port fields, but Encapsulating Security Payload (ESP) traffic does not. If a NAT device on the path assigns the same NAT IP address (but different ports) to two or more clients at the same destination, the NAT device is unable to distinguish and properly route the return ESP traffic does not contain port information. Therefore, IPSec ESP traffic fails at the NAT device.

NAT-Traversal (NAT-T) capable IPSec endpoints detect the presence of an intermediate NAT device during IKE phase 1 and switch to UDP port 4500 for all subsequent IKE and ESP traffic (encapsulating ESP in UDP).  Without NAT-T support on the peer IPSec endpoints, IPSec protected ESP traffic is transmitted without any UDP encapsulation. Therefore, IPSec ESP traffic fails at the NAT device.

The NetScaler appliance supports IPSec application layer gateway (ALG) functionality for large scale NAT configurations. The IPSec ALG processes IPSec ESP traffic and maintains session information so that the traffic does not fail when the IPSec endpoints do no support NAT-T (UDP encapsulation of ESP traffic).

How IPSec ALG Works

An IPSec ALG monitors IKE traffic between a client and the server, and permits only one IKE phase 2 message exchange between the client and the server at any given time.

Once the two-way ESP packets are received for a particular flow, the IPSec ALG creates a NAT session for this particular flow so that subsequent ESP traffic can flow smoothly. The ESP traffic is identified by Security Parameters Indexes (SPIs), which are unique for a flow and for each direction.  An IPSec ALG uses ESP SPIs in place of source and destination ports for performing large scale NAT.

If a gate receives no traffic, it times out. After both gates time out, another IKE phase 2 exchange is permitted.

IPSec ALG Timeouts

IPsec ALG on a NetScaler appliance has three timeout parameters:

  • ESP Gate Timeout. Maximum time that the NetScaler appliance blocks an IPSec ALG gate for a particular client on a specific NAT IP address for a given server if no two-way ESP traffic is exchanged between the client and the server.
  • IKE Session Timeout. Maximum time that the NetScaler appliance keeps the IKE session information before removing it if there is no IKE traffic for that session.
  • ESP Session Timeout. Maximum time that NetScaler appliance keeps the ESP session information before removing it if there is no ESP traffic for that session.

Points to Consider before Configuring IPSec ALG

Before you start configuring IPSec ALG, consider the following points:

  • You must understand the different components of IPSec protocol.
  • IPSec ALG is not supported for DS-Lite and Large scale NAT64 configurations.
  • IPSec ALG is not supported for hairpin LSN flow.
  • IPSec ALG does not work with RNAT configurations.
  • IPSec ALG is not supported inNetScaler clusters.

Configuration Steps

Configuring IPSec ALG for large scale NAT44 on a NetScaler appliance consists of the following tasks:

  • Create an LSN application profile and bind it to the LSN configuration. Set the following parameters while configuring an application profile:
    • Protocol=UDP
    • IP Pooling = PAIRED
    • Port=500

Bind the application profile to the LSN group of an LSN configuration. For instructions on creating an LSN configuration, see Configuration Steps for LSN.

  • Create an IPSec ALG profile. An IPSec profile includes various IPSec timeouts, such as IKE session timeout, ESP session timeout, and ESP gate timeout. You bind an IPSec ALG profile to an LSN group. An IPSec ALG profile has the following default settings:
    • IKE session timeout = 60 minutes
    • ESP session timeout = 60 minutes
    • ESP gate timeout = 30 seconds
  • Bind the IPSec ALG profile to the LSN configuration. IPSec ALG is enabled for an LSN configuration when you bind an IPSec ALG profile to the LSN configuration. Bind the IPSec ALG profile to the LSN configuration by setting the IPSec ALG profile parameter to the name of the created profile in the LSN group.  An IPSec ALG profile can be bound to multiple LSN groups, but an LSN group can have only one IPSec ALG profile.

To create an LSN application profile by using the command line interface

At the command prompt, type:

add lsn appsprofile <appsprofilename> UDP -ippooling PAIRED

show lsn appsprofile

To bind destination port to the LSN application profile by using the command line interface

At the command prompt, type:

bind lsn appsprofile <appsprofilename> <lsnport>

show lsn appsprofile

To bind an LSN application profile to an LSN group by using the command line interface

At the command prompt, type:

bind lsn group <groupname> -appsprofilename <string>

show lsn group

To create an IPSec ALG profile by using the CLI

At the command prompt, type:

add ipsecalg profile <name> [-ikeSessionTimeout <positive_integer>] [-espSessionTimeout <positive_integer>] [-espGateTimeout <positive_integer>] [-connfailover ( ENABLED | DISABLED)

show ipsecalg profile <name>

To bind an IPSec ALG profile to an LSN configuration by using the CLI

At the command prompt, type:

bind lsn group <groupname> -poolname <string> - ipsecAlgProfile <string>

show lsn group <name>

To create an LSN application profile and bind it to an LSN configuration by using the GUI

Navigate to System > Large Scale NAT > Profiles, click Application tab, add an LSN application profile and bind it to an LSN group.

To create an IPSec ALG profile by using the GUI**

Navigate to System > Large Scale NAT > Profiles, click IPSEC ALG tab, and then add an IPSec ALG profile.

To bind an IPSec ALG profile to an LSN configuration by using the GUI**

  1. Navigate to System > Large Scale NAT > LSN Group, open the LSN group.
  2. In Advanced Settings, click + IPSEC ALG Profile to bind the created IPSec ALG profile to the LSN group.

Sample Configuration

In the following sample large scale NAT44 configuration, IPSec ALG is enabled for subscribers in the 192.0.2.0/24 network. IPSec ALG profile IPSECALGPROFILE-1 with various IPSec timeout settings is created and is bound to LSN group LSN Group -1.

Sample configuration:

add lsn client LSN-CLIENT-1

Done

bind lsn client LSN-CLIENT-1 -network 192.0.2.0 -netmask 255.255.255.0

Done

add lsn pool LSN-POOL-1

Done

bind lsn pool LSN-POOL-1 203.0.113.3-203.0.113.9

Done

add lsn appsprofile LSN-APPSPROFILE-1 UDP -ippooling PAIRED

Done

bind lsn appsprofile LSN-APPSPROFILE-1 500

Done

add ipsecalg profile  IPSECALGPROFILE-1 -ikeSessionTimeout 45 –espSessionTimeout 40 –espGateTimeout 20 -connfailover ENABLED

Done

bind lsn group LSN-GROUP-1 -appsprofilename LSN-APPSPROFILE-1

Done

bind lsn group LSN-GROUP-1 -poolname LSN-POOL-1

Done

bind lsn group LSN-GROUP-1 - ipsecAlgProfile IPSECALGPROFILE-1

Done

Application Layer Gateway for IPSec Protocol