Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption 정보 가이드
IPsec FAQ: Why are Avaya phones no longer able
to connect via IPsec VPN after code upgrade on
the ASA?
to connect via IPsec VPN after code upgrade on
the ASA?
Document ID: 116294
Contributed by Atri Basu and Gustavo Medina, Cisco TAC Engineers.
Jul 17, 2013
Jul 17, 2013
Contents
Introduction
Why are Avaya phones no longer able to connect via IPSEC VPN after code upgrade on the Cisco
Adaptive Security Appliance (ASA)?
Why are Avaya phones no longer able to connect via IPSEC VPN after code upgrade on the Cisco
Adaptive Security Appliance (ASA)?
Introduction
This document describes a problem encountered when Avaya is deployed on a system in which the phones
use the built−in Internet Protocol Security (IPsec) client.
use the built−in Internet Protocol Security (IPsec) client.
Why are Avaya phones no longer able to connect via IPSEC
VPN after code upgrade on the Cisco Adaptive Security
Appliance (ASA)?
VPN after code upgrade on the Cisco Adaptive Security
Appliance (ASA)?
In order to understand this problem, you need to understand how Network Address Translation traversal
(NAT−T) and NAT discovery (NAT−D) works. The NAT−D process is comprised of these steps:
(NAT−T) and NAT discovery (NAT−D) works. The NAT−D process is comprised of these steps:
Detects one or more NAT devices between IPsec hosts.
1.
Identifies if the peer supports NAT−T.
2.
Negotiates the use of User Datagram Protocol (UDP) encapsulation of IPsec packets through NAT
devices in the Internet Key Exchange (IKE).
devices in the Internet Key Exchange (IKE).
3.
NAT−D sends the hashes of the IP addresses and ports of both IKE peers from each end to the other. If both
ends calculate those hashes and produce the same results, they know there is no NAT between. The hashes are
sent as a series of NAT−D payloads. Each payload contains one hash. In the case of multiple hashes, multiple
NAT−D payloads are sent. Normally, there are only two NAT−D payloads. The NAT−D payloads are
included in the third and fourth packets of the Main Mode, and in the second and third packets of the
Aggressive Mode. Since this example uses a remote access tunnel, it is the Aggressive Mode.
ends calculate those hashes and produce the same results, they know there is no NAT between. The hashes are
sent as a series of NAT−D payloads. Each payload contains one hash. In the case of multiple hashes, multiple
NAT−D payloads are sent. Normally, there are only two NAT−D payloads. The NAT−D payloads are
included in the third and fourth packets of the Main Mode, and in the second and third packets of the
Aggressive Mode. Since this example uses a remote access tunnel, it is the Aggressive Mode.
One of the details included in the NAT−D payloads is the Vendor ID (VID). The exchange of VIDs between
peers helps determine the NAT−T capability of the remote host, as described in Request for Comments (RFC)
3947:
peers helps determine the NAT−T capability of the remote host, as described in Request for Comments (RFC)
3947:
The format of the NAT−D packet is:
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| Next Payload | RESERVED | Payload length |
+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
~ HASH of the address and port
+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+