Cohesive Networks always recommends following a model of explicit configuration to ensure stable and healthy IPsec negotiations with 3rd party devices. This drives how the VNS3 product has been developed over the years. One area of explicit configuration is the choice for tunnel traffic to use Native IPsec or encapsulate via NAT-Traversal. When both sides of a tunnel are correctly configured to use one or the other AND the remote device does not behave unexpectedly, tunnels remain up and operational for years. This is not an empty claim; we've had cloud-based network customers using VNS3/VPN3 for longer than any other vendor.
PROBLEM:
Recently, some of our customers connecting to Cisco devices which originally connected and negotiated using Native IPsec have seen the Cisco device suddenly change to NAT-Traversal encapsulation. This change happens without modification to the configuration on either VNS3 or the Cisco appliance. The result is a tunnel or set of tunnels that negotiate and connect but do not pass traffic. In this state, VNS3 sends and listens for tunnel traffic on ESP, Protocol 50, while the Cisco sends and listens for tunnel traffic on UDP port 4500.
We have not been able to reproduce this in our lab, and have not been able to isolate it to specific Cisco configurations/revisions. It can be identified by the network sniffer as UDP 4500 traffic (NAT-T) coming from a Cisco peer that was previously sending ESP (Protocol 50). We have no reported cases of this happening with any other vendor products. We have NOT seen any instances of Cisco flipping from NAT-Traversal to Native IPsec.
REMEDIATION 1:
Work with your connecting party and configure both sides explicitly to only use NAT-T.
REMEDIATION 2:
Set the VNS3 controller in a NAT-T Auto Detect mode via the following configuration settings, entered on the relevant IPsec Endpoint page:
- Set NAT-Traversal Off by unchecking the box.
- Add "compat:encapsulation=auto" into the extra configuration field.
- Confirm Network Security Groups allow inbound access from the remote Cisco IP on UDP 500, UDP 4500, and ESP (Protocol 50).
This configuration will allow VNS3 to "follow the Cisco's lead" in deciding to use NAT-Traversal or Native IPsec.
NOTE: It is essential to work with the connecting party to confirm the configuration settings as well as the make/mode/software version of the connecting appliance to ensure maximum stability.