使用 UDP 封装的 ESP 数据包遍历 NAT 和 NAPTTraversing NATs and NAPTs with UDP-Encapsulated ESP Packets

[IPsec 任务卸载功能已弃用,不应使用。][The IPsec Task Offload feature is deprecated and should not be used.]

网络地址转换器 (Nat) 和网络地址端口转换器 (NAPTs) 将多个专用网络地址转换为一个路由 IP 公用地址,反之亦然,从而允许多个系统共享单个 IP 地址。Network address translators (NATs) and network address port translators (NAPTs) convert multiple private network addresses into one routeable IP public address and vice versa, thereby allowing many systems to share a single IP address. 通过这种方式,Nat 和 NAPTs 有助于缓解路由 IPv4 地址的不足。In this way, NATs and NAPTs help to alleviate the shortage of routeable IPv4 addresses.

但是,Nat 和 NAPTs 可能 (IPsec) 导致 Internet 协议安全问题。However, NATs and NAPTs can cause problems with Internet protocol security (IPsec). 由于 Nat 和 NAPTs 修改了数据包的 IP 标头,因此它们会导致受 AH 保护的数据包的校验和验证失败。Because NATs and NAPTs modify the IP header of a packet, they cause AH-protected packets to fail checksum validation. 用于修改 TCP 和 UDP 端口的 NAPTs 无法修改受 ESP 保护的数据包的加密 TCP 标头中的端口。NAPTs, which modify TCP and UDP ports, cannot modify the ports in the encrypted TCP header of an ESP-protected packet.

UDP 封装解决了此问题。UDP encapsulation solves this problem. 实际上,UDP 封装仅用于 ESP 数据包。In practice, UDP encapsulation is used only on ESP packets. NAT 或 NAPT 可以修改 UDP 封装的 ESP 包的未加密的 IP 和 UDP 标头,而不会中断 ESP 身份验证,也不会通过 ESP 加密来 stymied。A NAT or NAPT can modify the unencrypted IP and UDP headers of a UDP-encapsulated ESP packet without breaking ESP authentication and without being stymied by ESP encryption. 有关 ESP 数据包的 UDP 封装的详细说明,请参阅 Udp 封装的 IPsec OVER NAT 理由For a detailed description of the UDP encapsulation of ESP packets, see IPsec over NAT Justification for UDP Encapsulation.

Microsoft 支持端口4500上的 ESP 数据包的 UDP 封装。Microsoft supports UDP encapsulation of ESP packets on port 4500. IKE 对等节点在端口500上启动协商后,检测对 NAT 遍历的支持,并按路径检测 NAT 或 NAPT,它们可以协商到端口4500的 "float" IKE 和 UDP-ESP 流量。After IKE peers initiate negotiation on port 500, detect support for NAT-traversal, and detect a NAT or NAPT along the path, they can negotiate to "float" IKE and UDP-ESP traffic to port 4500. 有关此协商的详细信息,请参阅 IKE 中 NAT-Traversal 的协商For more information about this negotiation, see Negotiation of NAT-Traversal in the IKE.

为 NAT 遍历浮动到端口4500具有以下优势:Floating to port 4500 for NAT traversal provides the following benefits:

  • 它会绕过在端口500上打破 UDP ESP 封装的 "IPsec 感知" Nat 或 NAPTs。It bypasses "IPsec-aware" NATs or NAPTs that break UDP-ESP encapsulation on port 500.

  • 它提高了性能。It improves performance. 与端口500相比,ESP 数据包的 UDP 封装在端口4500上更有效。The UDP encapsulation of ESP data packets is more efficient on port 4500 than on port 500. 有关详细信息,请参阅 UDP-ESP 封装类型For more information, see UDP-ESP Encapsulation Types.

若要支持 UDP ESP 封装,可以使用微型端口驱动程序或 NIC (或二者) :To support UDP-ESP encapsulation, a miniport driver or the NIC (or both) must: