When a router uses NAT to translate the destination IP/Port, it has to get the port from the TCP/UDP packet inside the IP packet, right? But what, if the TCP packet is encrypted?
Asked
Active
Viewed 293 times
2 Answers
1
The most commonly used encryption method, TLS (formerly SSL), only encrypts the application data within the TCP segments, not the TCP headers themselves.
There are some encryption modes that are part of IPsec that do encrypt the TCP or UDP headers, and those modes do not traverse NAT gateways. So to make those kinds of IPsec flows capable of traversing NATs, they can be wrapped in an extra TCP header (port 4500/TCP), so the NAT can mess with that extra outer header and leave the encrypted inner datagram alone.
Spiff
- 104,423
0
Both for TCP and UDP packets, only the contents are ever encrypted, never the fields with the port numbers (or other fields that make up the packet structure).
So NAT works on all packets.
You can also tunnel TCP or UDP packets through some other encrypted connection, and in that case, the router's NAT never sees them at all (but it will see the TCP or UDP packets of the "outer" tunnel connection).
dirkt
- 16,899