This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
When an ESP packet is using NAT-T, there is an added packet type that goes along with the ESP encapsulated packets, the NAT-Keepalive packet. NAT-Keepalives are sent by each gateway device at periodic intervals to ensure that the NAT state is not lost on stateful devices like the SRX. A NAT-Keepalive is more or less a one octet packet with 0xFF as a payload. We'll run through a short scenario that shows how these short little packets are useful -- and sometimes necessary.
On Junos, NAT-Keepalives are configured under each gateway and can be sent in the range from 1 to 300 seconds (as of Junos 12.1X46). The default is to send them at 20 seconds.
In our demo, we examine our security policy to allow NAT-T traffic pass to see how long the session remains inactive before it is closed. According to the output below, UDP port 4500 traffic times out after 60 seconds.
NAT-T session details on SRX-12
juniper@SRX-12# run show security policies detail policy-name ALLOW-NAT-T
Policy: ALLOW-NAT-T, action-type: permit, State: enabled, Index: 8, Scope Policy: 0
Policy Type: Configured
Sequence number: 2
From zone: SRX11, To zone: SRX13
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-ike-nat
IP protocol: udp, ALG: 0, Inactivity timeout: 60
Source port range: [0-0]
Destination port range: [4500-4500]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes : 95403 15 bps
Output bytes : 95403 15 bps
Input packets : 666 0 pps
Output packets : 666 0 pps
Session rate : 1 0 sps
Active sessions : 1
Session deletions: 0
Policy lookups : 1
[edit]
juniper@SRX-12#
In our scenario, we have a contrived and imaginary application that runs on the server. This application pings any client that connects remotely through an IPSEC VPN every 15 seconds for 2 minutes. If any of the pings fail, an email is sent out to everyone announcing that the network sucks and the network administrators are beyond incompetent. This ping send from the IKE responder, to the IKE iniitator is against the normal flow of the traffic that sets up a session, so it's imperitive that the original session remain open for the ping to make it through!
The Ping-ing Application on the Server, thankfully running well
juniper@server:~$ ping -i 15 192.168.200.88 PING 192.168.200.88 (192.168.200.88) 56(84) bytes of data. 64 bytes from 192.168.200.88: icmp_req=1 ttl=62 time=7.97 ms 64 bytes from 192.168.200.88: icmp_req=2 ttl=62 time=12.1 ms 64 bytes from 192.168.200.88: icmp_req=3 ttl=62 time=8.69 ms 64 bytes from 192.168.200.88: icmp_req=4 ttl=62 time=8.39 ms 64 bytes from 192.168.200.88: icmp_req=5 ttl=62 time=9.37 ms 64 bytes from 192.168.200.88: icmp_req=6 ttl=62 time=8.20 ms 64 bytes from 192.168.200.88: icmp_req=7 ttl=62 time=8.52 ms 64 bytes from 192.168.200.88: icmp_req=8 ttl=62 time=8.61 ms 64 bytes from 192.168.200.88: icmp_req=9 ttl=62 time=5.92 ms 64 bytes from 192.168.200.88: icmp_req=10 ttl=62 time=8.02 ms
If we examine the sessions on the firewall, we can see with this ping going every 15 seconds, the closest the supporting session on the SRX ever gets to timing out is 45 seconds.
sessions on SRX-12
juniper@SRX-12# run show security flow session Session ID: 1776, Policy name: ALLOW-NAT-T/8, Timeout: 44, Valid In: 192.168.11.11/4500 --> 192.168.13.13/4500;udp, If: ge-0/0/4.0, Pkts: 344, Bytes: 45484 Out: 192.168.13.13/4500 --> 172.18.2.224/11353;udp, If: ge-0/0/5.0, Pkts: 263, Bytes: 40571 Total sessions: 1 [edit] juniper@SRX-12# run show security flow session Session ID: 1776, Policy name: ALLOW-NAT-T/8, Timeout: 60, Valid In: 192.168.11.11/4500 --> 192.168.13.13/4500;udp, If: ge-0/0/4.0, Pkts: 345, Bytes: 45644 Out: 192.168.13.13/4500 --> 172.18.2.224/11353;udp, If: ge-0/0/5.0, Pkts: 264, Bytes: 40731 Total sessions: 1 [edit] juniper@SRX-12#
In our scenario, the firewall admins are complaining that they have too many open sessions on SRX12 and need to start aging them out more aggessively. So they set the NAT-T sessions to be closed after 5 seconds of inactivity. The below config snippet overides the default timeout of 20 seconds for junos-ike-nat traffic.
modifying default inactivity-timeout for junos-ike-nat application
juniper@SRX-12# show
[edit applications]
application junos-ike-nat {
term t1 protocol udp destination-port 4500 inactivity-timeout 5;
}
After this is committed, any new connections will be subjected to only a short time of inactivity before the session is closed. This isn't a problem, as long as the client (or server) for that matter is actively using the connecion. Here we see that a new user connects from the client through one of the IPSEC VPN connections, and starts sending some important data to the server.
connectivity test from client
juniper@client:~$ ping 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. 64 bytes from 10.80.80.80: icmp_req=22 ttl=62 time=6.24 ms 64 bytes from 10.80.80.80: icmp_req=23 ttl=62 time=4.71 ms
The server starts up its ping-back application, which happliy is working (while the client is still chattering away).
server application responding
juniper@server:~$ ping -i 15 -w 120 192.168.200.88 PING 192.168.200.88 (192.168.200.88) 56(84) bytes of data. 64 bytes from 192.168.200.88: icmp_req=1 ttl=62 time=5.42 ms 64 bytes from 192.168.200.88: icmp_req=2 ttl=62 time=6.44 ms 64 bytes from 192.168.200.88: icmp_req=3 ttl=62 time=5.89 ms 64 bytes from 192.168.200.88: icmp_req=4 ttl=62 time=5.22 ms 64 bytes from 192.168.200.88: icmp_req=5 ttl=62 time=5.03 ms
However, before the ping-back application is finished, the client finishes his network transactions and goes idle.
client prematurely finishes network communications
64 bytes from 10.80.80.80: icmp_req=113 ttl=62 time=6.15 ms 64 bytes from 10.80.80.80: icmp_req=114 ttl=62 time=6.05 ms 64 bytes from 10.80.80.80: icmp_req=115 ttl=62 time=5.58 ms ^C --- 10.80.80.80 ping statistics --- 115 packets transmitted, 94 received, 18% packet loss, time 114320ms rtt min/avg/max/mdev = 3.490/5.692/10.785/1.038 ms juniper@client:~$
Watching the session on the firewall, we can see that it soon closes.
Session 1793 closing on SRX-12
juniper@SRX-12# run show security flow session Session ID: 1793, Policy name: ALLOW-NAT-T/8, Timeout: 6, Valid In: 192.168.11.11/4500 --> 192.168.13.13/4500;udp, If: ge-0/0/4.0, Pkts: 15, Bytes: 2400 Out: 192.168.13.13/4500 --> 172.18.2.224/2754;udp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Total sessions: 1 [edit security policies] juniper@SRX-12# run show security flow session Session ID: 1793, Policy name: ALLOW-NAT-T/8, Timeout: 2, Valid In: 192.168.11.11/4500 --> 192.168.13.13/4500;udp, If: ge-0/0/4.0, Pkts: 124, Bytes: 19796 Out: 192.168.13.13/4500 --> 172.18.2.224/2754;udp, If: ge-0/0/5.0, Pkts: 103, Bytes: 16452 Total sessions: 1 [edit security policies] juniper@SRX-12# run show security flow session Total sessions: 0 [edit security policies] juniper@SRX-12#
And the ping-back application on the server starts losing packets of important data.
server application fails
juniper@server:~$ ping -i 15 -w 120 192.168.200.88 PING 192.168.200.88 (192.168.200.88) 56(84) bytes of data. 64 bytes from 192.168.200.88: icmp_req=1 ttl=62 time=5.42 ms 64 bytes from 192.168.200.88: icmp_req=2 ttl=62 time=6.44 ms 64 bytes from 192.168.200.88: icmp_req=3 ttl=62 time=5.89 ms 64 bytes from 192.168.200.88: icmp_req=4 ttl=62 time=5.22 ms 64 bytes from 192.168.200.88: icmp_req=5 ttl=62 time=5.03 ms --- 192.168.200.88 ping statistics --- 8 packets transmitted, 5 received, 37% packet loss, time 105005ms rtt min/avg/max/mdev = 5.034/5.603/6.444/0.513 ms juniper@server:~$
Additionally, if the client starts sending traffic through the VPN once again, it is subjected to the delay of having to wait for the session to be recreated in the firewall. We lose a precious ICMP echo request/reply.
client communication delay
juniper@client:~$ ping -c 3 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. 64 bytes from 10.80.80.80: icmp_req=2 ttl=62 time=7.62 ms 64 bytes from 10.80.80.80: icmp_req=3 ttl=62 time=6.59 ms --- 10.80.80.80 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2001ms rtt min/avg/max/mdev = 6.590/7.105/7.620/0.515 ms juniper@client:~$
We can solve this issues by configuring NAT-keepalives on our IKE initiator (or the responder) to transmit at a lower interval than the session timeout. We'll configure SRX-11 to send NAT-keepalives every 3 seconds under the appropriate IKE gateway..
SRX-13 NAT Keepalive Modification
[edit security ike] juniper@SRX-11# set gateway SRX-13 nat-keepalive 3 [edit security ike] juniper@SRX-11#
With this setting, once the client initiates a connection, our session is able to stay open long enough for our ping-back application to complete.
server application finishes thanks to NAT keepalives
juniper@server:~$ ping -i 15 -w 120 192.168.200.88 PING 192.168.200.88 (192.168.200.88) 56(84) bytes of data. 64 bytes from 192.168.200.88: icmp_req=1 ttl=62 time=5.49 ms 64 bytes from 192.168.200.88: icmp_req=2 ttl=62 time=7.11 ms 64 bytes from 192.168.200.88: icmp_req=3 ttl=62 time=8.70 ms 64 bytes from 192.168.200.88: icmp_req=4 ttl=62 time=7.94 ms 64 bytes from 192.168.200.88: icmp_req=5 ttl=62 time=11.2 ms 64 bytes from 192.168.200.88: icmp_req=6 ttl=62 time=8.04 ms 64 bytes from 192.168.200.88: icmp_req=7 ttl=62 time=8.41 ms 64 bytes from 192.168.200.88: icmp_req=8 ttl=62 time=7.69 ms --- 192.168.200.88 ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time 105024ms rtt min/avg/max/mdev = 5.494/8.087/11.281/1.525 ms juniper@server:~$
To finish things off, a tcpdump -nvv showing the NAT-Keepalives being sent at 3 second intervals.
tcpdump showing NAT keepalives at 3 second intervals
15:51:58.844321 IP (tos 0xc0, ttl 64, id 32826, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: NONESP-encap: isakmp 1.0 msgid 17a1ecfa: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:51:58.863777 IP (tos 0xc0, ttl 63, id 29294, offset 0, flags [none], proto UDP (17), length 220)
192.168.13.13.4500 > 192.168.11.11.4500: NONESP-encap: isakmp 1.0 msgid 17a1ecfa: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:51:58.879609 IP (tos 0xc0, ttl 64, id 32827, offset 0, flags [none], proto UDP (17), length 92)
192.168.11.11.4500 > 192.168.13.13.4500: NONESP-encap: isakmp 1.0 msgid 17a1ecfa: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:51:59.833691 IP (tos 0x0, ttl 63, id 32654, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x1), length 132
15:51:59.837028 IP (tos 0x0, ttl 62, id 31875, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x1), length 132
15:52:00.835120 IP (tos 0x0, ttl 63, id 32655, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x2), length 132
15:52:00.838834 IP (tos 0x0, ttl 62, id 31876, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x2), length 132
15:52:01.218496 IP (tos 0x0, ttl 62, id 31877, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x3), length 132
15:52:01.220064 IP (tos 0x0, ttl 63, id 32656, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x3), length 132
15:52:04.904497 IP (tos 0xc0, ttl 64, id 32853, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:07.919555 IP (tos 0xc0, ttl 64, id 32856, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:10.929643 IP (tos 0xc0, ttl 64, id 32859, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:13.929489 IP (tos 0xc0, ttl 64, id 32860, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:16.224488 IP (tos 0x0, ttl 62, id 31878, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x4), length 132
15:52:16.227043 IP (tos 0x0, ttl 63, id 32657, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x4), length 132
15:52:19.939580 IP (tos 0xc0, ttl 64, id 32863, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:22.944738 IP (tos 0xc0, ttl 64, id 32866, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:25.959681 IP (tos 0xc0, ttl 64, id 32869, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:28.974629 IP (tos 0xc0, ttl 64, id 32870, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:31.227013 IP (tos 0x0, ttl 62, id 31879, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x5), length 132
15:52:31.230004 IP (tos 0x0, ttl 63, id 32658, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x5), length 132
15:52:34.966015 IP (tos 0xc0, ttl 64, id 32873, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:37.969812 IP (tos 0xc0, ttl 64, id 32876, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:40.974753 IP (tos 0xc0, ttl 64, id 32879, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:43.974826 IP (tos 0xc0, ttl 64, id 32880, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:46.232875 IP (tos 0x0, ttl 62, id 31880, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x6), length 132
15:52:46.235509 IP (tos 0x0, ttl 63, id 32659, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x6), length 132
15:52:49.989598 IP (tos 0xc0, ttl 64, id 32883, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:52.994954 IP (tos 0xc0, ttl 64, id 32886, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:55.999809 IP (tos 0xc0, ttl 64, id 32889, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:52:59.009911 IP (tos 0xc0, ttl 64, id 32890, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:01.241173 IP (tos 0x0, ttl 62, id 31881, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x7), length 132
15:53:01.246975 IP (tos 0x0, ttl 63, id 32660, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x7), length 132
15:53:05.029981 IP (tos 0xc0, ttl 64, id 32893, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:08.039906 IP (tos 0xc0, ttl 64, id 32896, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:11.044927 IP (tos 0xc0, ttl 64, id 32899, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:14.051311 IP (tos 0xc0, ttl 64, id 32900, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:16.241876 IP (tos 0x0, ttl 62, id 31882, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x8), length 132
15:53:16.244742 IP (tos 0x0, ttl 63, id 32661, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x8), length 132
15:53:20.074917 IP (tos 0xc0, ttl 64, id 32903, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:23.085028 IP (tos 0xc0, ttl 64, id 32906, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:26.090127 IP (tos 0xc0, ttl 64, id 32909, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:29.100031 IP (tos 0xc0, ttl 64, id 32910, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:31.242484 IP (tos 0x0, ttl 62, id 31883, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0x9), length 132
15:53:31.246709 IP (tos 0x0, ttl 63, id 32662, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0x9), length 132
15:53:35.115033 IP (tos 0xc0, ttl 64, id 32913, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:38.130147 IP (tos 0xc0, ttl 64, id 32916, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:41.140019 IP (tos 0xc0, ttl 64, id 32919, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:44.150197 IP (tos 0xc0, ttl 64, id 32920, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:46.243494 IP (tos 0x0, ttl 62, id 31884, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: UDP-encap: ESP(spi=0x2efc2ce0,seq=0xa), length 132
15:53:46.246337 IP (tos 0x0, ttl 63, id 32663, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: UDP-encap: ESP(spi=0x59bd8781,seq=0xa), length 132
15:53:47.885384 IP (tos 0xc0, ttl 64, id 32923, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: NONESP-encap: isakmp 1.0 msgid f2f5b590: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:53:47.893371 IP (tos 0xc0, ttl 63, id 29366, offset 0, flags [none], proto UDP (17), length 220)
192.168.13.13.4500 > 192.168.11.11.4500: NONESP-encap: isakmp 1.0 msgid f2f5b590: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:53:47.899922 IP (tos 0xc0, ttl 64, id 32924, offset 0, flags [none], proto UDP (17), length 92)
192.168.11.11.4500 > 192.168.13.13.4500: NONESP-encap: isakmp 1.0 msgid f2f5b590: phase 2/others ? oakley-quick[E]: [encrypted hash]
15:53:51.165456 IP (tos 0xc0, ttl 64, id 32952, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:52.910190 IP (tos 0xc0, ttl 64, id 32953, offset 0, flags [none], proto UDP (17), length 108)
192.168.11.11.4500 > 192.168.13.13.4500: NONESP-encap: isakmp 1.0 msgid 0cbd5205: phase 2/others ? inf[E]: [encrypted hash]
15:53:54.175123 IP (tos 0xc0, ttl 64, id 32954, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:53:57.175132 IP (tos 0xc0, ttl 64, id 32962, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:00.180253 IP (tos 0xc0, ttl 64, id 32963, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:03.185336 IP (tos 0xc0, ttl 64, id 32966, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:06.190288 IP (tos 0xc0, ttl 64, id 32969, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:08.244861 IP (tos 0xc0, ttl 63, id 29393, offset 0, flags [none], proto UDP (17), length 29)
192.168.13.13.4500 > 192.168.11.11.4500: isakmp-nat-keep-alive
15:54:09.195335 IP (tos 0xc0, ttl 64, id 32970, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:12.195070 IP (tos 0xc0, ttl 64, id 32973, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:15.210357 IP (tos 0xc0, ttl 64, id 32974, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:18.215270 IP (tos 0xc0, ttl 64, id 32977, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:21.225355 IP (tos 0xc0, ttl 64, id 32980, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive
15:54:24.225308 IP (tos 0xc0, ttl 64, id 32981, offset 0, flags [none], proto UDP (17), length 29)
192.168.11.11.4500 > 192.168.13.13.4500: isakmp-nat-keep-alive