Configure IPsec NAT-T
About this task
By default, both sides of an IPsec connection are Initiator devices. IPsec Network Address Translation Traversal (NAT-T) connections require that one side of the connection is a Responder device and the other side of the connection is an Initiator device.
If the Responder device and the Initiator device are both behind NAT, the IPsec NAT-T Initiator device requires the public IP address of the Responder device.
Procedure
Perform the following steps to configure one side of an IPsec NAT-T connection as a Responder device:
- In the navigation pane, expand .
- Select IS-IS.
- Select Logical Interfaces.
- Select Insert.
- Select IpsecNatConfigResponderOnly.
If required, perform the following steps on the IPsec NAT-T Initiator device to configure the public IP address of the Responder device:
- In the navigation pane, expand .
- Select IS-IS.
- Select Logical Interfaces.
- Select Insert.
- For IpsecNatConfigRemoteNatIPAddr, enter the public IP address of the Responder device.
Logical Interfaces Field Descriptions
Use the data in the following table to use the Logical Interfaces tab and the Insert Logical Interfaces dialog. The available fields in the dialog differ depending on the type of core you select: layer 2 or ip.
Name |
Description |
---|---|
Id |
Specifies the index number that uniquely identifies this logical interface. This field displays on the Insert Logical Interfaces dialog only. |
IfIndex |
Specifies the index number that uniquely identifies this logical interface. This field is read-only. This field displays on the Logical Interfaces tab only. |
Name |
Specifies the administratively assigned name of this logical interface, which can be up to 64 characters. |
Type Note:
Exception: Type Layer 2 is not supported on XA1400 Series. |
Specifies the type of logical interface to create:
|
DestIPAddr |
Specifies the destination IP address for the IP-type logical interface. |
DestIfIndex Note:
Exception: Not supported on XA1400 Series. |
Specifies the physical port or MultiLink Trunking (MLT) that the Layer 2 logical interface is connected to. |
Vids Note:
Exception: Not supported on XA1400 Series. |
Specifies the list of VLANs that are associated with this logical interface. |
PrimaryVid Note:
Exception: Not supported on XA1400 Series. |
Specifies the primary tunnel VLAN ID associated with this Layer 2 Intermediate-System-to-Intermediate-System (IS-IS) logical interface. |
ISIS MTU |
Note:
Fabric Extend Tunnel IS-IS MTU configuration is added to the document in advance of Fabric Extend Integration with ExtremeCloud SD-WAN support. Feature support is planned for 8.10.1. Specifies the Maximum Transmission Unit (MTU) size in bytes for IS-IS packets that use this logical interface. The default value is 1600. This field is not supported for XA1400 Series. |
CircIndex |
Identifies the IS-IS circuit created under the logical interface. This field displays on the Logical Interfaces tab only. |
NextHopVrf Note:
Exception: Not supported on XA1400 Series. |
Displays the next-hop VRF name to reach the logical tunnel destination IP. This field displays on the Logical Interfaces tab only. You can use this field to specify the VRF to reach the logical tunnel destination IP associated with a parallel tunnel. |
IpsecEnable Note:
Exception: Only supported on XA1400 Series. |
Specifies whether the logical interface should use IPsec. |
AuthenticationKey Note:
Exception: Only supported on XA1400 Series. |
Specifies the authentication key of this logical interface, which can be up to 32 characters. |
ShapingRate Note:
Exception: Only supported on XA1400 Series. |
Specifies the value, in Mbps, of the Egress Tunnel Shaper applied to the logical interface. |
Mtu Note:
Exception: Only supported on XA1400 Series. |
Specifies the Maximum Transmission Unit (MTU) size in bytes for the logical interface. The default MTU value is 1950. |
IpsecTunnelDestAddress Note:
Exception: Only supported on XA1400 Series. |
Specifies the destination IP address for the IPsec tunnel. Note:
When you configure the destination IP address for the IPsec tunnel, IKE protocol uses UDP port 500. However, if IPsec NAT-T is detected, IKE protocol uses UDP port 4500 instead. |
BfdEnable Note: Exception: Not supported on
VSP 8600
Series or XA1400
Series.
|
Enables or disables BFD on an IS-IS Logical Interface. |
IpsecResponderOnly Note:
Exception: Only supported on XA1400 Series. |
Specifies whether the device is a Responder device in an IPsec Network Address Translation Traversal (NAT-T) connection. |
IpsecRemoteNatIPAddr Note:
Exception: Only supported on XA1400 Series. |
Specifies the public IP address of the NAT router connected to the Responder device in an IPsec NAT-T connection. Note:
When you configure the IPsec remote NAT IP address, IKE protocol uses UDP port 4500. |
IpsecAuthMethod Note:
Exception: Only supported on XA1400 Series. |
Configures the IPsec authentication method for the tunnel as either a pre-shared key or RSA signature for digital certificates. The default is pre-shared key. |
CertSubjectName Note:
Exception: Only supported on XA1400 Series. |
Specifies the digital certificate subject name used as the identity certificate. |
Compression Note:
Exception: Only supported on XA1400 Series. |
Reduces the size of the IP datagram to improve the communication performance between hosts connected behind Backbone Edge Bridges (BEB). Tip:
As a best practice, use IPsec compression only for Fabric Extend tunnels where latency is greater than 70ms. |
FragmentBeforeEncrypt Note:
Exception: Only supported on XA1400 Series. |
Enables or disables the fragmentation of packets before IPsec encryption on the tunnel. By default, fragmentation before encryption is disabled. |
TunnelSourceType Note:
Exception: Only supported on XA1400 Series. |
Specifies the type of source IP address for the IPsec tunnel.
The default is global. |
TunnelSourceAddress Note:
Exception: Only supported on XA1400 Series. |
Specifies the source IP address for the IPsec tunnel. |
TunnelVrf Note:
Exception: Only supported on XA1400 Series. |
Specifies the VRF name associated with the IPsec tunnel. |
Esp Note:
Exception: Only supported on XA1400 Series. |
Specifies the Encapsulating Security Payload (ESP) cipher suite for IPsec.
The default value is aes128gcm16-sha256. |
SrcIPAddr Note:
Exception: Only supported on VSP 4900 Series and VSP 7400 Series. |
Configures an additional source address to use as the parallel tunnel to create a backup adjacency. Note:
To use an IPsec-encrypted tunnel as the parallel tunnel ensure that you configure the same source IP address on the logical IS-IS interface and in the Fabric IPsec Gateway virtual machine. |
Origin |
Specifies the origin of the IS-IS logical interface configuration, either through Zero Touch Fabric Configuration (ZTF) or manual configuration (config) through CLI or EDM. |