1、IPSec数据包在穿越NAT时会遇到一个很严重的问题,因为NAT机制会修改数据包的IP及TCP或UDP包头内容,而IPSec为了确保数据包的安全性,也会逐一检查每个IPSec的数据包,一旦数据包内容(包含包头)有任何变动,这些数据包就会被IPSec机制丢弃,所以IPSec数据包是无法穿越NAT的。但如果真是这样,那IPSec在使用上将受到严重限制,幸运的是在大家的努力下,IPSec协议终于可以穿越NAT了,这项技术规范是在rfc3947中定义的,称为“NAT-Traversal”,简称为NAT-T。那NAT-T到底是如何让IPSec数据包可以穿越NAT的呢
3、1 path include "/etc/racoon"; 2.2 path pre_shared_key "/etc/racoon/psk.txt"; 3.3 path certificate "/etc/racoon/certs"; 4.4 log debug; 5.5 timer { 6.6 natt_keepalive 10sec; 7.7 } 8.8 listen { 9.9 isakmp 10.10.15.40[500]; 10.10 isakmp_natt 10.10.15.40[4500]; 11.11 } 12.12 padding { 13.13 maximum_length 20; 14.14 randomize off; 15.15 strict_check off; 16.16 exclusive_tail off; 17.17 } 18.18 remote anonymous { 19.19 exchange_mode main,aggressive; 20.20 nat_traversal on; 21.21 generate_policy on; 22.22 certificate_type x509 "cert.pem" "key.pem"; 23.23 verify_cert on; 24.24 verify_identifier on; 25.25 my_identifier asn1dn; 26.26 peers_identifier asn1dn; 27.27 proposal { 28.28 encryption_algorithm 3des; 29.29 hash_algorithm sha1; 30.30 authentication_method rsasig; 31.31 dh_group modp1024; 32.32 } 33.33 } 34.34 sainfo anonymous { 35.35 lifetime time 1 hour; 36.36 encryption_algorithm 3des; 37.37 authentication_algorithm hmac_sha1; 38.38 compression_algorithm deflate; 39.39 }
