Title: How Both IPSec Ends Perform NAT-T Detection? [Print this page] Author: admin Time: 2017-5-4 20:16 Title: How Both IPSec Ends Perform NAT-T Detection? How Both IPSec Ends Perform NAT-T Detection? Author: admin Time: 2017-5-4 20:17
NAT-T detection is performed in the first phase of IKE negotiation and is completed using the first and second packets in the first phase. The vendor ID payload is added to packets. According to RFC3947, it is converted into a value in hexadecimal notation by using the hash algorithm: vendor_id=0x4a 0x13 0x1c 0x81 0x7 0x3 0x58 0x45 0x5c 0x57 0x28 0xf2 0xe 0x95 0x45 0x2f. The value is consistent in the first and second packets and is used to detect whether the peer end supports NAT-T.
Run the debug cry iskamp command during negotiation. The displayed packet carries vendor_id. Use a tool to capture packets. The vendor ID is carried in IKE packets, as shown in the following figure.
