IPSec transport vs tunnel,and nat-t

IPSEC 场景拓扑

  • Gateway: The gateway is usually your firewall, but this can be any host within your network.
    Often the gateway is also able to serve a small network with DHCP and DNS.
    In the image above the hosts moon and sun serve as gateways for the internal hosts alice and bob,
    respectively.
  • Remote access / Roadwarrior clients: Usually, roadwarriors are laptops and other mobile devices
    connecting from remote to your network using the gateway. In the image above carol represents a
    roadwarrior who wants to access either of the two networks behind the two gateways.
  • Remote hosts / Host-to-Host: This can be a remote web server or a backup system. This is illustrated
    in the image by host winnetou and either of the gateways. The connection between the two hosts can
    usually be initiated by either one of them.
  • Remote sites / Site-to-Site: Hosts in two or more subnets at different locations should be able to access
    each other. Again referring to the image above, the two subnets 10.1.0.0/24 and 10.2.0.0/24 behind
    gateways moon and sun, respectively, might be connected, so that the hosts alice and bob may securely
    communicate with one another.

IPSec的两种模式

针对不同的使用场景,IPSEC使用了两种模式:
transport mode 端到端(Remote access / Roadwarrior)的情况,比如client -> server直连(server不能作代理)
transport mode

tunnel mode 非端到端情况,如Host-to-HostSite-to-Site
tunnel mode

我们常见的拓扑结构可能是这样: pc -> router(nat) -> vpn server
从IPSEC的两种模式的结构中可以看出,由于没有TCP或UDP头,当数据包经过router(nat)时会被router丢弃,不能传递到ipsec server。
在NAT环境中,可能存在xxx
为了解决NAT环境中的问题,提出了结合NAT-T的方案。

结合NAT-T(nat traversal)时的情况

transport
tunnel mode nat-t
nat-t

发表评论

电子邮件地址不会被公开。