1. IKE端口浮动

IPsec在隧道建立第一第二阶段主要进行加密方式、加密策略等信息的协商,这部分功能是通过IKE协议来实现的。
IKE协议默认端口为500,但是如果IPsec隧道传输路径上存在NAT设备,那么IKE的端口会从500浮动到4500端口,这样做最主要的目的是:

避免某些NAT设备不转换源端口为500的报文,从而导致NAT穿越失败。

因此IKE通常情况下会同时监控UDP的两个端口:500和4500。

2. IKE端口是否浮动

前一段时间遇到场景:隧道可以正常建立成功,但是数据不通。查了一周时间确定是由于对方设备不支持IKE端口浮动,即使在NAT穿越情况下也未进行端口浮动,依然使用了500端口。
下面是基于openswan源码整理的NAT-T相关的接口及关系:

2.1 探测是否支持NAT-T

#mermaid-svg-iYAiY2iQQFusziTS .label{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);fill:#333;color:#333}#mermaid-svg-iYAiY2iQQFusziTS .label text{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .node rect,#mermaid-svg-iYAiY2iQQFusziTS .node circle,#mermaid-svg-iYAiY2iQQFusziTS .node ellipse,#mermaid-svg-iYAiY2iQQFusziTS .node polygon,#mermaid-svg-iYAiY2iQQFusziTS .node path{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-iYAiY2iQQFusziTS .node .label{text-align:center;fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .node.clickable{cursor:pointer}#mermaid-svg-iYAiY2iQQFusziTS .arrowheadPath{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .edgePath .path{stroke:#333;stroke-width:1.5px}#mermaid-svg-iYAiY2iQQFusziTS .flowchart-link{stroke:#333;fill:none}#mermaid-svg-iYAiY2iQQFusziTS .edgeLabel{background-color:#e8e8e8;text-align:center}#mermaid-svg-iYAiY2iQQFusziTS .edgeLabel rect{opacity:0.9}#mermaid-svg-iYAiY2iQQFusziTS .edgeLabel span{color:#333}#mermaid-svg-iYAiY2iQQFusziTS .cluster rect{fill:#ffffde;stroke:#aa3;stroke-width:1px}#mermaid-svg-iYAiY2iQQFusziTS .cluster text{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:12px;background:#ffffde;border:1px solid #aa3;border-radius:2px;pointer-events:none;z-index:100}#mermaid-svg-iYAiY2iQQFusziTS .actor{stroke:#ccf;fill:#ECECFF}#mermaid-svg-iYAiY2iQQFusziTS text.actor>tspan{fill:#000;stroke:none}#mermaid-svg-iYAiY2iQQFusziTS .actor-line{stroke:grey}#mermaid-svg-iYAiY2iQQFusziTS .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333}#mermaid-svg-iYAiY2iQQFusziTS .messageLine1{stroke-width:1.5;stroke-dasharray:2, 2;stroke:#333}#mermaid-svg-iYAiY2iQQFusziTS #arrowhead path{fill:#333;stroke:#333}#mermaid-svg-iYAiY2iQQFusziTS .sequenceNumber{fill:#fff}#mermaid-svg-iYAiY2iQQFusziTS #sequencenumber{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS #crosshead path{fill:#333;stroke:#333}#mermaid-svg-iYAiY2iQQFusziTS .messageText{fill:#333;stroke:#333}#mermaid-svg-iYAiY2iQQFusziTS .labelBox{stroke:#ccf;fill:#ECECFF}#mermaid-svg-iYAiY2iQQFusziTS .labelText,#mermaid-svg-iYAiY2iQQFusziTS .labelText>tspan{fill:#000;stroke:none}#mermaid-svg-iYAiY2iQQFusziTS .loopText,#mermaid-svg-iYAiY2iQQFusziTS .loopText>tspan{fill:#000;stroke:none}#mermaid-svg-iYAiY2iQQFusziTS .loopLine{stroke-width:2px;stroke-dasharray:2, 2;stroke:#ccf;fill:#ccf}#mermaid-svg-iYAiY2iQQFusziTS .note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-iYAiY2iQQFusziTS .noteText,#mermaid-svg-iYAiY2iQQFusziTS .noteText>tspan{fill:#000;stroke:none}#mermaid-svg-iYAiY2iQQFusziTS .activation0{fill:#f4f4f4;stroke:#666}#mermaid-svg-iYAiY2iQQFusziTS .activation1{fill:#f4f4f4;stroke:#666}#mermaid-svg-iYAiY2iQQFusziTS .activation2{fill:#f4f4f4;stroke:#666}#mermaid-svg-iYAiY2iQQFusziTS .mermaid-main-font{font-family:"trebuchet ms", verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .section{stroke:none;opacity:0.2}#mermaid-svg-iYAiY2iQQFusziTS .section0{fill:rgba(102,102,255,0.49)}#mermaid-svg-iYAiY2iQQFusziTS .section2{fill:#fff400}#mermaid-svg-iYAiY2iQQFusziTS .section1,#mermaid-svg-iYAiY2iQQFusziTS .section3{fill:#fff;opacity:0.2}#mermaid-svg-iYAiY2iQQFusziTS .sectionTitle0{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .sectionTitle1{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .sectionTitle2{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .sectionTitle3{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .sectionTitle{text-anchor:start;font-size:11px;text-height:14px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .grid .tick{stroke:#d3d3d3;opacity:0.8;shape-rendering:crispEdges}#mermaid-svg-iYAiY2iQQFusziTS .grid .tick text{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .grid path{stroke-width:0}#mermaid-svg-iYAiY2iQQFusziTS .today{fill:none;stroke:red;stroke-width:2px}#mermaid-svg-iYAiY2iQQFusziTS .task{stroke-width:2}#mermaid-svg-iYAiY2iQQFusziTS .taskText{text-anchor:middle;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .taskText:not([font-size]){font-size:11px}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}#mermaid-svg-iYAiY2iQQFusziTS .task.clickable{cursor:pointer}#mermaid-svg-iYAiY2iQQFusziTS .taskText.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutsideLeft.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutsideRight.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-iYAiY2iQQFusziTS .taskText0,#mermaid-svg-iYAiY2iQQFusziTS .taskText1,#mermaid-svg-iYAiY2iQQFusziTS .taskText2,#mermaid-svg-iYAiY2iQQFusziTS .taskText3{fill:#fff}#mermaid-svg-iYAiY2iQQFusziTS .task0,#mermaid-svg-iYAiY2iQQFusziTS .task1,#mermaid-svg-iYAiY2iQQFusziTS .task2,#mermaid-svg-iYAiY2iQQFusziTS .task3{fill:#8a90dd;stroke:#534fbc}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutside0,#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutside2{fill:#000}#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutside1,#mermaid-svg-iYAiY2iQQFusziTS .taskTextOutside3{fill:#000}#mermaid-svg-iYAiY2iQQFusziTS .active0,#mermaid-svg-iYAiY2iQQFusziTS .active1,#mermaid-svg-iYAiY2iQQFusziTS .active2,#mermaid-svg-iYAiY2iQQFusziTS .active3{fill:#bfc7ff;stroke:#534fbc}#mermaid-svg-iYAiY2iQQFusziTS .activeText0,#mermaid-svg-iYAiY2iQQFusziTS .activeText1,#mermaid-svg-iYAiY2iQQFusziTS .activeText2,#mermaid-svg-iYAiY2iQQFusziTS .activeText3{fill:#000 !important}#mermaid-svg-iYAiY2iQQFusziTS .done0,#mermaid-svg-iYAiY2iQQFusziTS .done1,#mermaid-svg-iYAiY2iQQFusziTS .done2,#mermaid-svg-iYAiY2iQQFusziTS .done3{stroke:grey;fill:#d3d3d3;stroke-width:2}#mermaid-svg-iYAiY2iQQFusziTS .doneText0,#mermaid-svg-iYAiY2iQQFusziTS .doneText1,#mermaid-svg-iYAiY2iQQFusziTS .doneText2,#mermaid-svg-iYAiY2iQQFusziTS .doneText3{fill:#000 !important}#mermaid-svg-iYAiY2iQQFusziTS .crit0,#mermaid-svg-iYAiY2iQQFusziTS .crit1,#mermaid-svg-iYAiY2iQQFusziTS .crit2,#mermaid-svg-iYAiY2iQQFusziTS .crit3{stroke:#f88;fill:red;stroke-width:2}#mermaid-svg-iYAiY2iQQFusziTS .activeCrit0,#mermaid-svg-iYAiY2iQQFusziTS .activeCrit1,#mermaid-svg-iYAiY2iQQFusziTS .activeCrit2,#mermaid-svg-iYAiY2iQQFusziTS .activeCrit3{stroke:#f88;fill:#bfc7ff;stroke-width:2}#mermaid-svg-iYAiY2iQQFusziTS .doneCrit0,#mermaid-svg-iYAiY2iQQFusziTS .doneCrit1,#mermaid-svg-iYAiY2iQQFusziTS .doneCrit2,#mermaid-svg-iYAiY2iQQFusziTS .doneCrit3{stroke:#f88;fill:#d3d3d3;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}#mermaid-svg-iYAiY2iQQFusziTS .milestone{transform:rotate(45deg) scale(0.8, 0.8)}#mermaid-svg-iYAiY2iQQFusziTS .milestoneText{font-style:italic}#mermaid-svg-iYAiY2iQQFusziTS .doneCritText0,#mermaid-svg-iYAiY2iQQFusziTS .doneCritText1,#mermaid-svg-iYAiY2iQQFusziTS .doneCritText2,#mermaid-svg-iYAiY2iQQFusziTS .doneCritText3{fill:#000 !important}#mermaid-svg-iYAiY2iQQFusziTS .activeCritText0,#mermaid-svg-iYAiY2iQQFusziTS .activeCritText1,#mermaid-svg-iYAiY2iQQFusziTS .activeCritText2,#mermaid-svg-iYAiY2iQQFusziTS .activeCritText3{fill:#000 !important}#mermaid-svg-iYAiY2iQQFusziTS .titleText{text-anchor:middle;font-size:18px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS g.classGroup text{fill:#9370db;stroke:none;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:10px}#mermaid-svg-iYAiY2iQQFusziTS g.classGroup text .title{font-weight:bolder}#mermaid-svg-iYAiY2iQQFusziTS g.clickable{cursor:pointer}#mermaid-svg-iYAiY2iQQFusziTS g.classGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-iYAiY2iQQFusziTS g.classGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS .classLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.5}#mermaid-svg-iYAiY2iQQFusziTS .classLabel .label{fill:#9370db;font-size:10px}#mermaid-svg-iYAiY2iQQFusziTS .relation{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-iYAiY2iQQFusziTS .dashed-line{stroke-dasharray:3}#mermaid-svg-iYAiY2iQQFusziTS #compositionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #compositionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #aggregationStart{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #aggregationEnd{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #dependencyStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #dependencyEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #extensionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS #extensionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS .commit-id,#mermaid-svg-iYAiY2iQQFusziTS .commit-msg,#mermaid-svg-iYAiY2iQQFusziTS .branch-label{fill:lightgrey;color:lightgrey;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .pieTitleText{text-anchor:middle;font-size:25px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .slice{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS g.stateGroup text{fill:#9370db;stroke:none;font-size:10px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS g.stateGroup text{fill:#9370db;fill:#333;stroke:none;font-size:10px}#mermaid-svg-iYAiY2iQQFusziTS g.statediagram-cluster .cluster-label text{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS g.stateGroup .state-title{font-weight:bolder;fill:#000}#mermaid-svg-iYAiY2iQQFusziTS g.stateGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-iYAiY2iQQFusziTS g.stateGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-iYAiY2iQQFusziTS .transition{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-iYAiY2iQQFusziTS .stateGroup .composit{fill:white;border-bottom:1px}#mermaid-svg-iYAiY2iQQFusziTS .stateGroup .alt-composit{fill:#e0e0e0;border-bottom:1px}#mermaid-svg-iYAiY2iQQFusziTS .state-note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-iYAiY2iQQFusziTS .state-note text{fill:black;stroke:none;font-size:10px}#mermaid-svg-iYAiY2iQQFusziTS .stateLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.7}#mermaid-svg-iYAiY2iQQFusziTS .edgeLabel text{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .stateLabel text{fill:#000;font-size:10px;font-weight:bold;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-iYAiY2iQQFusziTS .node circle.state-start{fill:black;stroke:black}#mermaid-svg-iYAiY2iQQFusziTS .node circle.state-end{fill:black;stroke:white;stroke-width:1.5}#mermaid-svg-iYAiY2iQQFusziTS #statediagram-barbEnd{fill:#9370db}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-cluster rect{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-cluster rect.outer{rx:5px;ry:5px}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-state .divider{stroke:#9370db}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-state .title-state{rx:5px;ry:5px}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-cluster.statediagram-cluster .inner{fill:white}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-cluster.statediagram-cluster-alt .inner{fill:#e0e0e0}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-cluster .inner{rx:0;ry:0}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-state rect.basic{rx:5px;ry:5px}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-state rect.divider{stroke-dasharray:10,10;fill:#efefef}#mermaid-svg-iYAiY2iQQFusziTS .note-edge{stroke-dasharray:5}#mermaid-svg-iYAiY2iQQFusziTS .statediagram-note rect{fill:#fff5ad;stroke:#aa3;stroke-width:1px;rx:0;ry:0}:root{--mermaid-font-family: '"trebuchet ms", verdana, arial';--mermaid-font-family: "Comic Sans MS", "Comic Sans", cursive}#mermaid-svg-iYAiY2iQQFusziTS .error-icon{fill:#522}#mermaid-svg-iYAiY2iQQFusziTS .error-text{fill:#522;stroke:#522}#mermaid-svg-iYAiY2iQQFusziTS .edge-thickness-normal{stroke-width:2px}#mermaid-svg-iYAiY2iQQFusziTS .edge-thickness-thick{stroke-width:3.5px}#mermaid-svg-iYAiY2iQQFusziTS .edge-pattern-solid{stroke-dasharray:0}#mermaid-svg-iYAiY2iQQFusziTS .edge-pattern-dashed{stroke-dasharray:3}#mermaid-svg-iYAiY2iQQFusziTS .edge-pattern-dotted{stroke-dasharray:2}#mermaid-svg-iYAiY2iQQFusziTS .marker{fill:#333}#mermaid-svg-iYAiY2iQQFusziTS .marker.cross{stroke:#333}

:root { --mermaid-font-family: "trebuchet ms", verdana, arial;}
#mermaid-svg-iYAiY2iQQFusziTS {
color: rgba(0, 0, 0, 0.75);
font: ;
}

发起者

响应者

HDR, SA, VIDs

HDR, SA, VID

发起者

响应者



IPsec的隧道的发起方会在第一阶段的第一个报文中将本端支持的NAT-T标准以负载VID的方式发送到对端,在openswan源码中VID与NAT-T类型对应关系如下:

序号 VID类型 对应的数值 NAT-T类型 支持端口浮动
1 VID_NATT_IETF_00 105 NAT_TRAVERSAL_IETF_00_01
2 VID_NATT_IETF_02_N 106 NAT_TRAVERSAL_IETF_02_03
3 VID_NATT_IETF_02 107 NAT_TRAVERSAL_IETF_02_03
4 VID_NATT_IETF_03 108 NAT_TRAVERSAL_IETF_02_03
5 VID_NATT_RFC 109 NAT_TRAVERSAL_RFC

对端根据接收到的标准(一般包含多个)中选择其中一个VID作为NAT-T的类型,而VID选择的依据便是**“选择数值大的标准”**,也就是上表中的VID_XXX的优先级随着数值增加而依次递增:VID_NATT_RFC > VID_NATT_IETF_03 > VID_NATT_IETF_02 > VID_NATT_IETF_02_N > VID_NATT_IETF_00。

2.2 探测路径上是否存在NAT设备

在主模式下,NAT设备的探测是在第三四个报文中通过NAT-D来探测的,探测的方式就计算本端IP地址和端口的HASH1值和对端IP地址和端口的HASH2值,然后将这两个哈希值同时以NAT-D负载的方式发送给对方设备,对方收到后通过计算接收到的报文中源和目的的IP地址和端口的哈希值与NAT-D负载中的哈希值进行比较:

#mermaid-svg-7OCNQR87RcndZkJU .label{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);fill:#333;color:#333}#mermaid-svg-7OCNQR87RcndZkJU .label text{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .node rect,#mermaid-svg-7OCNQR87RcndZkJU .node circle,#mermaid-svg-7OCNQR87RcndZkJU .node ellipse,#mermaid-svg-7OCNQR87RcndZkJU .node polygon,#mermaid-svg-7OCNQR87RcndZkJU .node path{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-7OCNQR87RcndZkJU .node .label{text-align:center;fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .node.clickable{cursor:pointer}#mermaid-svg-7OCNQR87RcndZkJU .arrowheadPath{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .edgePath .path{stroke:#333;stroke-width:1.5px}#mermaid-svg-7OCNQR87RcndZkJU .flowchart-link{stroke:#333;fill:none}#mermaid-svg-7OCNQR87RcndZkJU .edgeLabel{background-color:#e8e8e8;text-align:center}#mermaid-svg-7OCNQR87RcndZkJU .edgeLabel rect{opacity:0.9}#mermaid-svg-7OCNQR87RcndZkJU .edgeLabel span{color:#333}#mermaid-svg-7OCNQR87RcndZkJU .cluster rect{fill:#ffffde;stroke:#aa3;stroke-width:1px}#mermaid-svg-7OCNQR87RcndZkJU .cluster text{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:12px;background:#ffffde;border:1px solid #aa3;border-radius:2px;pointer-events:none;z-index:100}#mermaid-svg-7OCNQR87RcndZkJU .actor{stroke:#ccf;fill:#ECECFF}#mermaid-svg-7OCNQR87RcndZkJU text.actor>tspan{fill:#000;stroke:none}#mermaid-svg-7OCNQR87RcndZkJU .actor-line{stroke:grey}#mermaid-svg-7OCNQR87RcndZkJU .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333}#mermaid-svg-7OCNQR87RcndZkJU .messageLine1{stroke-width:1.5;stroke-dasharray:2, 2;stroke:#333}#mermaid-svg-7OCNQR87RcndZkJU #arrowhead path{fill:#333;stroke:#333}#mermaid-svg-7OCNQR87RcndZkJU .sequenceNumber{fill:#fff}#mermaid-svg-7OCNQR87RcndZkJU #sequencenumber{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU #crosshead path{fill:#333;stroke:#333}#mermaid-svg-7OCNQR87RcndZkJU .messageText{fill:#333;stroke:#333}#mermaid-svg-7OCNQR87RcndZkJU .labelBox{stroke:#ccf;fill:#ECECFF}#mermaid-svg-7OCNQR87RcndZkJU .labelText,#mermaid-svg-7OCNQR87RcndZkJU .labelText>tspan{fill:#000;stroke:none}#mermaid-svg-7OCNQR87RcndZkJU .loopText,#mermaid-svg-7OCNQR87RcndZkJU .loopText>tspan{fill:#000;stroke:none}#mermaid-svg-7OCNQR87RcndZkJU .loopLine{stroke-width:2px;stroke-dasharray:2, 2;stroke:#ccf;fill:#ccf}#mermaid-svg-7OCNQR87RcndZkJU .note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-7OCNQR87RcndZkJU .noteText,#mermaid-svg-7OCNQR87RcndZkJU .noteText>tspan{fill:#000;stroke:none}#mermaid-svg-7OCNQR87RcndZkJU .activation0{fill:#f4f4f4;stroke:#666}#mermaid-svg-7OCNQR87RcndZkJU .activation1{fill:#f4f4f4;stroke:#666}#mermaid-svg-7OCNQR87RcndZkJU .activation2{fill:#f4f4f4;stroke:#666}#mermaid-svg-7OCNQR87RcndZkJU .mermaid-main-font{font-family:"trebuchet ms", verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .section{stroke:none;opacity:0.2}#mermaid-svg-7OCNQR87RcndZkJU .section0{fill:rgba(102,102,255,0.49)}#mermaid-svg-7OCNQR87RcndZkJU .section2{fill:#fff400}#mermaid-svg-7OCNQR87RcndZkJU .section1,#mermaid-svg-7OCNQR87RcndZkJU .section3{fill:#fff;opacity:0.2}#mermaid-svg-7OCNQR87RcndZkJU .sectionTitle0{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .sectionTitle1{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .sectionTitle2{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .sectionTitle3{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .sectionTitle{text-anchor:start;font-size:11px;text-height:14px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .grid .tick{stroke:#d3d3d3;opacity:0.8;shape-rendering:crispEdges}#mermaid-svg-7OCNQR87RcndZkJU .grid .tick text{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .grid path{stroke-width:0}#mermaid-svg-7OCNQR87RcndZkJU .today{fill:none;stroke:red;stroke-width:2px}#mermaid-svg-7OCNQR87RcndZkJU .task{stroke-width:2}#mermaid-svg-7OCNQR87RcndZkJU .taskText{text-anchor:middle;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .taskText:not([font-size]){font-size:11px}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}#mermaid-svg-7OCNQR87RcndZkJU .task.clickable{cursor:pointer}#mermaid-svg-7OCNQR87RcndZkJU .taskText.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutsideLeft.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutsideRight.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-7OCNQR87RcndZkJU .taskText0,#mermaid-svg-7OCNQR87RcndZkJU .taskText1,#mermaid-svg-7OCNQR87RcndZkJU .taskText2,#mermaid-svg-7OCNQR87RcndZkJU .taskText3{fill:#fff}#mermaid-svg-7OCNQR87RcndZkJU .task0,#mermaid-svg-7OCNQR87RcndZkJU .task1,#mermaid-svg-7OCNQR87RcndZkJU .task2,#mermaid-svg-7OCNQR87RcndZkJU .task3{fill:#8a90dd;stroke:#534fbc}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutside0,#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutside2{fill:#000}#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutside1,#mermaid-svg-7OCNQR87RcndZkJU .taskTextOutside3{fill:#000}#mermaid-svg-7OCNQR87RcndZkJU .active0,#mermaid-svg-7OCNQR87RcndZkJU .active1,#mermaid-svg-7OCNQR87RcndZkJU .active2,#mermaid-svg-7OCNQR87RcndZkJU .active3{fill:#bfc7ff;stroke:#534fbc}#mermaid-svg-7OCNQR87RcndZkJU .activeText0,#mermaid-svg-7OCNQR87RcndZkJU .activeText1,#mermaid-svg-7OCNQR87RcndZkJU .activeText2,#mermaid-svg-7OCNQR87RcndZkJU .activeText3{fill:#000 !important}#mermaid-svg-7OCNQR87RcndZkJU .done0,#mermaid-svg-7OCNQR87RcndZkJU .done1,#mermaid-svg-7OCNQR87RcndZkJU .done2,#mermaid-svg-7OCNQR87RcndZkJU .done3{stroke:grey;fill:#d3d3d3;stroke-width:2}#mermaid-svg-7OCNQR87RcndZkJU .doneText0,#mermaid-svg-7OCNQR87RcndZkJU .doneText1,#mermaid-svg-7OCNQR87RcndZkJU .doneText2,#mermaid-svg-7OCNQR87RcndZkJU .doneText3{fill:#000 !important}#mermaid-svg-7OCNQR87RcndZkJU .crit0,#mermaid-svg-7OCNQR87RcndZkJU .crit1,#mermaid-svg-7OCNQR87RcndZkJU .crit2,#mermaid-svg-7OCNQR87RcndZkJU .crit3{stroke:#f88;fill:red;stroke-width:2}#mermaid-svg-7OCNQR87RcndZkJU .activeCrit0,#mermaid-svg-7OCNQR87RcndZkJU .activeCrit1,#mermaid-svg-7OCNQR87RcndZkJU .activeCrit2,#mermaid-svg-7OCNQR87RcndZkJU .activeCrit3{stroke:#f88;fill:#bfc7ff;stroke-width:2}#mermaid-svg-7OCNQR87RcndZkJU .doneCrit0,#mermaid-svg-7OCNQR87RcndZkJU .doneCrit1,#mermaid-svg-7OCNQR87RcndZkJU .doneCrit2,#mermaid-svg-7OCNQR87RcndZkJU .doneCrit3{stroke:#f88;fill:#d3d3d3;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}#mermaid-svg-7OCNQR87RcndZkJU .milestone{transform:rotate(45deg) scale(0.8, 0.8)}#mermaid-svg-7OCNQR87RcndZkJU .milestoneText{font-style:italic}#mermaid-svg-7OCNQR87RcndZkJU .doneCritText0,#mermaid-svg-7OCNQR87RcndZkJU .doneCritText1,#mermaid-svg-7OCNQR87RcndZkJU .doneCritText2,#mermaid-svg-7OCNQR87RcndZkJU .doneCritText3{fill:#000 !important}#mermaid-svg-7OCNQR87RcndZkJU .activeCritText0,#mermaid-svg-7OCNQR87RcndZkJU .activeCritText1,#mermaid-svg-7OCNQR87RcndZkJU .activeCritText2,#mermaid-svg-7OCNQR87RcndZkJU .activeCritText3{fill:#000 !important}#mermaid-svg-7OCNQR87RcndZkJU .titleText{text-anchor:middle;font-size:18px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU g.classGroup text{fill:#9370db;stroke:none;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:10px}#mermaid-svg-7OCNQR87RcndZkJU g.classGroup text .title{font-weight:bolder}#mermaid-svg-7OCNQR87RcndZkJU g.clickable{cursor:pointer}#mermaid-svg-7OCNQR87RcndZkJU g.classGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-7OCNQR87RcndZkJU g.classGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU .classLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.5}#mermaid-svg-7OCNQR87RcndZkJU .classLabel .label{fill:#9370db;font-size:10px}#mermaid-svg-7OCNQR87RcndZkJU .relation{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-7OCNQR87RcndZkJU .dashed-line{stroke-dasharray:3}#mermaid-svg-7OCNQR87RcndZkJU #compositionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #compositionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #aggregationStart{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #aggregationEnd{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #dependencyStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #dependencyEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #extensionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU #extensionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU .commit-id,#mermaid-svg-7OCNQR87RcndZkJU .commit-msg,#mermaid-svg-7OCNQR87RcndZkJU .branch-label{fill:lightgrey;color:lightgrey;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .pieTitleText{text-anchor:middle;font-size:25px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .slice{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU g.stateGroup text{fill:#9370db;stroke:none;font-size:10px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU g.stateGroup text{fill:#9370db;fill:#333;stroke:none;font-size:10px}#mermaid-svg-7OCNQR87RcndZkJU g.statediagram-cluster .cluster-label text{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU g.stateGroup .state-title{font-weight:bolder;fill:#000}#mermaid-svg-7OCNQR87RcndZkJU g.stateGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-7OCNQR87RcndZkJU g.stateGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-7OCNQR87RcndZkJU .transition{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-7OCNQR87RcndZkJU .stateGroup .composit{fill:white;border-bottom:1px}#mermaid-svg-7OCNQR87RcndZkJU .stateGroup .alt-composit{fill:#e0e0e0;border-bottom:1px}#mermaid-svg-7OCNQR87RcndZkJU .state-note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-7OCNQR87RcndZkJU .state-note text{fill:black;stroke:none;font-size:10px}#mermaid-svg-7OCNQR87RcndZkJU .stateLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.7}#mermaid-svg-7OCNQR87RcndZkJU .edgeLabel text{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .stateLabel text{fill:#000;font-size:10px;font-weight:bold;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-7OCNQR87RcndZkJU .node circle.state-start{fill:black;stroke:black}#mermaid-svg-7OCNQR87RcndZkJU .node circle.state-end{fill:black;stroke:white;stroke-width:1.5}#mermaid-svg-7OCNQR87RcndZkJU #statediagram-barbEnd{fill:#9370db}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-cluster rect{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-cluster rect.outer{rx:5px;ry:5px}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-state .divider{stroke:#9370db}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-state .title-state{rx:5px;ry:5px}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-cluster.statediagram-cluster .inner{fill:white}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-cluster.statediagram-cluster-alt .inner{fill:#e0e0e0}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-cluster .inner{rx:0;ry:0}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-state rect.basic{rx:5px;ry:5px}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-state rect.divider{stroke-dasharray:10,10;fill:#efefef}#mermaid-svg-7OCNQR87RcndZkJU .note-edge{stroke-dasharray:5}#mermaid-svg-7OCNQR87RcndZkJU .statediagram-note rect{fill:#fff5ad;stroke:#aa3;stroke-width:1px;rx:0;ry:0}:root{--mermaid-font-family: '"trebuchet ms", verdana, arial';--mermaid-font-family: "Comic Sans MS", "Comic Sans", cursive}#mermaid-svg-7OCNQR87RcndZkJU .error-icon{fill:#522}#mermaid-svg-7OCNQR87RcndZkJU .error-text{fill:#522;stroke:#522}#mermaid-svg-7OCNQR87RcndZkJU .edge-thickness-normal{stroke-width:2px}#mermaid-svg-7OCNQR87RcndZkJU .edge-thickness-thick{stroke-width:3.5px}#mermaid-svg-7OCNQR87RcndZkJU .edge-pattern-solid{stroke-dasharray:0}#mermaid-svg-7OCNQR87RcndZkJU .edge-pattern-dashed{stroke-dasharray:3}#mermaid-svg-7OCNQR87RcndZkJU .edge-pattern-dotted{stroke-dasharray:2}#mermaid-svg-7OCNQR87RcndZkJU .marker{fill:#333}#mermaid-svg-7OCNQR87RcndZkJU .marker.cross{stroke:#333}

:root { --mermaid-font-family: "trebuchet ms", verdana, arial;}
#mermaid-svg-7OCNQR87RcndZkJU {
color: rgba(0, 0, 0, 0.75);
font: ;
}

发起者

响应者

HDR, SA, VIDs

HDR, SA, VID

HDR, KE, Ni, NAT-D, NAT-D

HDR, KE, Nr, NAT-D, NAT-D

*HDR,IDii, [CERT, ] SIG_I

*HDR,IDii, [CERT, ] SIG_R

发起者

响应者



判断依据:

  • 计算对端的IP地址和端口的哈希值hash1, 然后与报文中NAT-D中对端计算的哈希值HASH1进行比较,如果不同,说明对端的IP地址或者端口发生了变化,因此对端设备是位于NAT设备之后的。
  • 计算本端的IP地址和端口的哈希值hash2, 然后和报文中NAT-D负载中对端的计算结果HASH2进行比较,如果不同,则说明本端的IP地址或者端口发生了变化,因此本端设备是位于NAT设备之后的。
  • 由于响应端在第三个报文时便可以知道链路上的NAT情况,但是发送端还不清楚,因此响应端需要将本端和对端的哈希值计算后填充到第四个报文的NAT-D负载中发送给发起端。

2.3 openswan源码说明

在openswan源码中,NAT-T的类型(包括选用的NAT-T标准, NAT情况)存储在st->hidden_variables.st_nat_traversal之中,用位来表示(高31---- 低0):
其中:

NAT-T类型(标准) st_nat_traversal中的位
NAT_TRAVERSAL_IETF_00_01 第1位
NAT_TRAVERSAL_IETF_02_03 第2位
NAT_TRAVERSAL_RFC 第3位
对端设备NAT 第31位
本端设备NAT 第30位

3. IKE端口浮动几个疑问

3.1 IKE端口浮动的原因

端口浮动的原因在于有些NAT设备对于500端口的报文不做NAT转换,从而导致NAT穿越失败。至于都包括哪些设备,暂不清楚。因此将端口浮动到4500后,方便NAT设备进行映射转换,从而实现NAT-T穿越。

3.2 IKE端口浮动是必须的吗?

首先说明,端口浮动不是必须的,但是现在通常情况下是进行端口浮动的:即如果有NAT-T存在,则IKE端口会从500切换到4500。

3.3 IKE端口浮动一定是浮动到4500吗?

IKE端口浮动肯定是将端口由500浮动到4500的(包括源端口和目的端口),但是中间的NAT设备如果支持端口映射的话,那么一般是将源端口做一个映射, 源端口做映射对于IPSEC影响并不大,但是要求IPsec能够响应来自任意端口的报文(下图中的X便是经过NAPT映射后的IPsec报文)。NAT设备做端口映射的目的主要为了为了实现多路分解和复用。

#mermaid-svg-Te43dUWWbQd9xDPY .label{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);fill:#333;color:#333}#mermaid-svg-Te43dUWWbQd9xDPY .label text{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .node rect,#mermaid-svg-Te43dUWWbQd9xDPY .node circle,#mermaid-svg-Te43dUWWbQd9xDPY .node ellipse,#mermaid-svg-Te43dUWWbQd9xDPY .node polygon,#mermaid-svg-Te43dUWWbQd9xDPY .node path{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-Te43dUWWbQd9xDPY .node .label{text-align:center;fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .node.clickable{cursor:pointer}#mermaid-svg-Te43dUWWbQd9xDPY .arrowheadPath{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .edgePath .path{stroke:#333;stroke-width:1.5px}#mermaid-svg-Te43dUWWbQd9xDPY .flowchart-link{stroke:#333;fill:none}#mermaid-svg-Te43dUWWbQd9xDPY .edgeLabel{background-color:#e8e8e8;text-align:center}#mermaid-svg-Te43dUWWbQd9xDPY .edgeLabel rect{opacity:0.9}#mermaid-svg-Te43dUWWbQd9xDPY .edgeLabel span{color:#333}#mermaid-svg-Te43dUWWbQd9xDPY .cluster rect{fill:#ffffde;stroke:#aa3;stroke-width:1px}#mermaid-svg-Te43dUWWbQd9xDPY .cluster text{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:12px;background:#ffffde;border:1px solid #aa3;border-radius:2px;pointer-events:none;z-index:100}#mermaid-svg-Te43dUWWbQd9xDPY .actor{stroke:#ccf;fill:#ECECFF}#mermaid-svg-Te43dUWWbQd9xDPY text.actor>tspan{fill:#000;stroke:none}#mermaid-svg-Te43dUWWbQd9xDPY .actor-line{stroke:grey}#mermaid-svg-Te43dUWWbQd9xDPY .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333}#mermaid-svg-Te43dUWWbQd9xDPY .messageLine1{stroke-width:1.5;stroke-dasharray:2, 2;stroke:#333}#mermaid-svg-Te43dUWWbQd9xDPY #arrowhead path{fill:#333;stroke:#333}#mermaid-svg-Te43dUWWbQd9xDPY .sequenceNumber{fill:#fff}#mermaid-svg-Te43dUWWbQd9xDPY #sequencenumber{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY #crosshead path{fill:#333;stroke:#333}#mermaid-svg-Te43dUWWbQd9xDPY .messageText{fill:#333;stroke:#333}#mermaid-svg-Te43dUWWbQd9xDPY .labelBox{stroke:#ccf;fill:#ECECFF}#mermaid-svg-Te43dUWWbQd9xDPY .labelText,#mermaid-svg-Te43dUWWbQd9xDPY .labelText>tspan{fill:#000;stroke:none}#mermaid-svg-Te43dUWWbQd9xDPY .loopText,#mermaid-svg-Te43dUWWbQd9xDPY .loopText>tspan{fill:#000;stroke:none}#mermaid-svg-Te43dUWWbQd9xDPY .loopLine{stroke-width:2px;stroke-dasharray:2, 2;stroke:#ccf;fill:#ccf}#mermaid-svg-Te43dUWWbQd9xDPY .note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-Te43dUWWbQd9xDPY .noteText,#mermaid-svg-Te43dUWWbQd9xDPY .noteText>tspan{fill:#000;stroke:none}#mermaid-svg-Te43dUWWbQd9xDPY .activation0{fill:#f4f4f4;stroke:#666}#mermaid-svg-Te43dUWWbQd9xDPY .activation1{fill:#f4f4f4;stroke:#666}#mermaid-svg-Te43dUWWbQd9xDPY .activation2{fill:#f4f4f4;stroke:#666}#mermaid-svg-Te43dUWWbQd9xDPY .mermaid-main-font{font-family:"trebuchet ms", verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .section{stroke:none;opacity:0.2}#mermaid-svg-Te43dUWWbQd9xDPY .section0{fill:rgba(102,102,255,0.49)}#mermaid-svg-Te43dUWWbQd9xDPY .section2{fill:#fff400}#mermaid-svg-Te43dUWWbQd9xDPY .section1,#mermaid-svg-Te43dUWWbQd9xDPY .section3{fill:#fff;opacity:0.2}#mermaid-svg-Te43dUWWbQd9xDPY .sectionTitle0{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .sectionTitle1{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .sectionTitle2{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .sectionTitle3{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .sectionTitle{text-anchor:start;font-size:11px;text-height:14px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .grid .tick{stroke:#d3d3d3;opacity:0.8;shape-rendering:crispEdges}#mermaid-svg-Te43dUWWbQd9xDPY .grid .tick text{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .grid path{stroke-width:0}#mermaid-svg-Te43dUWWbQd9xDPY .today{fill:none;stroke:red;stroke-width:2px}#mermaid-svg-Te43dUWWbQd9xDPY .task{stroke-width:2}#mermaid-svg-Te43dUWWbQd9xDPY .taskText{text-anchor:middle;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .taskText:not([font-size]){font-size:11px}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}#mermaid-svg-Te43dUWWbQd9xDPY .task.clickable{cursor:pointer}#mermaid-svg-Te43dUWWbQd9xDPY .taskText.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutsideLeft.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutsideRight.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-Te43dUWWbQd9xDPY .taskText0,#mermaid-svg-Te43dUWWbQd9xDPY .taskText1,#mermaid-svg-Te43dUWWbQd9xDPY .taskText2,#mermaid-svg-Te43dUWWbQd9xDPY .taskText3{fill:#fff}#mermaid-svg-Te43dUWWbQd9xDPY .task0,#mermaid-svg-Te43dUWWbQd9xDPY .task1,#mermaid-svg-Te43dUWWbQd9xDPY .task2,#mermaid-svg-Te43dUWWbQd9xDPY .task3{fill:#8a90dd;stroke:#534fbc}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutside0,#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutside2{fill:#000}#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutside1,#mermaid-svg-Te43dUWWbQd9xDPY .taskTextOutside3{fill:#000}#mermaid-svg-Te43dUWWbQd9xDPY .active0,#mermaid-svg-Te43dUWWbQd9xDPY .active1,#mermaid-svg-Te43dUWWbQd9xDPY .active2,#mermaid-svg-Te43dUWWbQd9xDPY .active3{fill:#bfc7ff;stroke:#534fbc}#mermaid-svg-Te43dUWWbQd9xDPY .activeText0,#mermaid-svg-Te43dUWWbQd9xDPY .activeText1,#mermaid-svg-Te43dUWWbQd9xDPY .activeText2,#mermaid-svg-Te43dUWWbQd9xDPY .activeText3{fill:#000 !important}#mermaid-svg-Te43dUWWbQd9xDPY .done0,#mermaid-svg-Te43dUWWbQd9xDPY .done1,#mermaid-svg-Te43dUWWbQd9xDPY .done2,#mermaid-svg-Te43dUWWbQd9xDPY .done3{stroke:grey;fill:#d3d3d3;stroke-width:2}#mermaid-svg-Te43dUWWbQd9xDPY .doneText0,#mermaid-svg-Te43dUWWbQd9xDPY .doneText1,#mermaid-svg-Te43dUWWbQd9xDPY .doneText2,#mermaid-svg-Te43dUWWbQd9xDPY .doneText3{fill:#000 !important}#mermaid-svg-Te43dUWWbQd9xDPY .crit0,#mermaid-svg-Te43dUWWbQd9xDPY .crit1,#mermaid-svg-Te43dUWWbQd9xDPY .crit2,#mermaid-svg-Te43dUWWbQd9xDPY .crit3{stroke:#f88;fill:red;stroke-width:2}#mermaid-svg-Te43dUWWbQd9xDPY .activeCrit0,#mermaid-svg-Te43dUWWbQd9xDPY .activeCrit1,#mermaid-svg-Te43dUWWbQd9xDPY .activeCrit2,#mermaid-svg-Te43dUWWbQd9xDPY .activeCrit3{stroke:#f88;fill:#bfc7ff;stroke-width:2}#mermaid-svg-Te43dUWWbQd9xDPY .doneCrit0,#mermaid-svg-Te43dUWWbQd9xDPY .doneCrit1,#mermaid-svg-Te43dUWWbQd9xDPY .doneCrit2,#mermaid-svg-Te43dUWWbQd9xDPY .doneCrit3{stroke:#f88;fill:#d3d3d3;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}#mermaid-svg-Te43dUWWbQd9xDPY .milestone{transform:rotate(45deg) scale(0.8, 0.8)}#mermaid-svg-Te43dUWWbQd9xDPY .milestoneText{font-style:italic}#mermaid-svg-Te43dUWWbQd9xDPY .doneCritText0,#mermaid-svg-Te43dUWWbQd9xDPY .doneCritText1,#mermaid-svg-Te43dUWWbQd9xDPY .doneCritText2,#mermaid-svg-Te43dUWWbQd9xDPY .doneCritText3{fill:#000 !important}#mermaid-svg-Te43dUWWbQd9xDPY .activeCritText0,#mermaid-svg-Te43dUWWbQd9xDPY .activeCritText1,#mermaid-svg-Te43dUWWbQd9xDPY .activeCritText2,#mermaid-svg-Te43dUWWbQd9xDPY .activeCritText3{fill:#000 !important}#mermaid-svg-Te43dUWWbQd9xDPY .titleText{text-anchor:middle;font-size:18px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY g.classGroup text{fill:#9370db;stroke:none;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:10px}#mermaid-svg-Te43dUWWbQd9xDPY g.classGroup text .title{font-weight:bolder}#mermaid-svg-Te43dUWWbQd9xDPY g.clickable{cursor:pointer}#mermaid-svg-Te43dUWWbQd9xDPY g.classGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-Te43dUWWbQd9xDPY g.classGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY .classLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.5}#mermaid-svg-Te43dUWWbQd9xDPY .classLabel .label{fill:#9370db;font-size:10px}#mermaid-svg-Te43dUWWbQd9xDPY .relation{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-Te43dUWWbQd9xDPY .dashed-line{stroke-dasharray:3}#mermaid-svg-Te43dUWWbQd9xDPY #compositionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #compositionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #aggregationStart{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #aggregationEnd{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #dependencyStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #dependencyEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #extensionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY #extensionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY .commit-id,#mermaid-svg-Te43dUWWbQd9xDPY .commit-msg,#mermaid-svg-Te43dUWWbQd9xDPY .branch-label{fill:lightgrey;color:lightgrey;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .pieTitleText{text-anchor:middle;font-size:25px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .slice{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY g.stateGroup text{fill:#9370db;stroke:none;font-size:10px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY g.stateGroup text{fill:#9370db;fill:#333;stroke:none;font-size:10px}#mermaid-svg-Te43dUWWbQd9xDPY g.statediagram-cluster .cluster-label text{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY g.stateGroup .state-title{font-weight:bolder;fill:#000}#mermaid-svg-Te43dUWWbQd9xDPY g.stateGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-Te43dUWWbQd9xDPY g.stateGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-Te43dUWWbQd9xDPY .transition{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-Te43dUWWbQd9xDPY .stateGroup .composit{fill:white;border-bottom:1px}#mermaid-svg-Te43dUWWbQd9xDPY .stateGroup .alt-composit{fill:#e0e0e0;border-bottom:1px}#mermaid-svg-Te43dUWWbQd9xDPY .state-note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-Te43dUWWbQd9xDPY .state-note text{fill:black;stroke:none;font-size:10px}#mermaid-svg-Te43dUWWbQd9xDPY .stateLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.7}#mermaid-svg-Te43dUWWbQd9xDPY .edgeLabel text{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .stateLabel text{fill:#000;font-size:10px;font-weight:bold;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-Te43dUWWbQd9xDPY .node circle.state-start{fill:black;stroke:black}#mermaid-svg-Te43dUWWbQd9xDPY .node circle.state-end{fill:black;stroke:white;stroke-width:1.5}#mermaid-svg-Te43dUWWbQd9xDPY #statediagram-barbEnd{fill:#9370db}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-cluster rect{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-cluster rect.outer{rx:5px;ry:5px}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-state .divider{stroke:#9370db}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-state .title-state{rx:5px;ry:5px}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-cluster.statediagram-cluster .inner{fill:white}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-cluster.statediagram-cluster-alt .inner{fill:#e0e0e0}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-cluster .inner{rx:0;ry:0}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-state rect.basic{rx:5px;ry:5px}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-state rect.divider{stroke-dasharray:10,10;fill:#efefef}#mermaid-svg-Te43dUWWbQd9xDPY .note-edge{stroke-dasharray:5}#mermaid-svg-Te43dUWWbQd9xDPY .statediagram-note rect{fill:#fff5ad;stroke:#aa3;stroke-width:1px;rx:0;ry:0}:root{--mermaid-font-family: '"trebuchet ms", verdana, arial';--mermaid-font-family: "Comic Sans MS", "Comic Sans", cursive}#mermaid-svg-Te43dUWWbQd9xDPY .error-icon{fill:#522}#mermaid-svg-Te43dUWWbQd9xDPY .error-text{fill:#522;stroke:#522}#mermaid-svg-Te43dUWWbQd9xDPY .edge-thickness-normal{stroke-width:2px}#mermaid-svg-Te43dUWWbQd9xDPY .edge-thickness-thick{stroke-width:3.5px}#mermaid-svg-Te43dUWWbQd9xDPY .edge-pattern-solid{stroke-dasharray:0}#mermaid-svg-Te43dUWWbQd9xDPY .edge-pattern-dashed{stroke-dasharray:3}#mermaid-svg-Te43dUWWbQd9xDPY .edge-pattern-dotted{stroke-dasharray:2}#mermaid-svg-Te43dUWWbQd9xDPY .marker{fill:#333}#mermaid-svg-Te43dUWWbQd9xDPY .marker.cross{stroke:#333}

:root { --mermaid-font-family: "trebuchet ms", verdana, arial;}
#mermaid-svg-Te43dUWWbQd9xDPY {
color: rgba(0, 0, 0, 0.75);
font: ;
}

4500 -> 4500
x->4500
x->4500
发起端
发起端NAT
响应端NAT
响应端

NAT-T下的端口浮动的更多相关文章

  1. NAT模式下用secureCRT连接虚拟机

    VMWare制作学习系统,或布置模拟网络群组环境,已经比较流行. 注意主机端口要设置成为不同2122,虚拟机端口设置成22 笔者为了给项目组同事,提供一个练习ssh远程连接操作,及方便抓图交流的环境, ...

  2. virtualBox使用nat模式下ssh连接

    virtualBox本地虚拟机通过ssh连接一般可通过桥接模式和Nat模式 桥接模式下,共享本地主机网卡,在同一个局域网之下,直接获取Ip地址就可以进行连接了. Nat模式下,获取的Ip与本地主机不是 ...

  3. CentOS 下做端口映射/端口转发

    CentOS 下做端口映射/端口转发==[实现目标]==================[服务器A]有2块网卡,一块接内网,一块接外网,[服务器B]只有一块内网网卡:访问[服务器A]的7890端口跳转 ...

  4. VMware虚拟CentOS 6.5在NAT模式下配置静态IP地址及Xshell远程控制配置

    VMware虚拟CentOS 6.5在NAT模式下配置静态IP地址及Xshell远程控制配置 标签: LinuxXshellCentOS 2016-10-15 04:58 127人阅读 评论(0) 收 ...

  5. VMware NAT模式下设置网络

    一.虚拟机NAT模式原理 NAT模式在VMware下又称VMnet8.在这种模式下,宿主机有两块网卡,一块是真实的物理网卡(即NAT device),连接Network:一块是 VMware Netw ...

  6. 虚拟机中的centos在nat模式下连不上外网

    这两天需要配置ftp服务器,可是虚拟机在nat模式下死活连不上外网,主机能够通过该ssh与虚拟机进行连接,虚拟机也能ping同一网段主机的IP地址,但就是ping不通外网, 开始我是这样配置的: 主机 ...

  7. php 修改 AppServ 下Apache 端口

    php 修改 AppServ 下Apache 端口 步骤一:把 C:\AppServ\Apache2.2\conf 中httpd.conf修改了 还不正确 步骤二:把httpd.conf  中List ...

  8. li下用了浮动IE6的问题

    li下用了浮动IE6的问题 直接看HTML <ul> <li><a href="#" target="_blank">沃尔沃 ...

  9. 【转】Windows10下80端口被PID为4的System占用导致Apache无法启动的分析与解决方案

    昨天刚更新了Windows10,总体上来说效果还是蛮不错的,然而今天在开启Apache服务器的时候却发现,Apache莫名其妙的打不开了,起初以为是权限的问题,于是使用管理员身份的控制台去调用命令ne ...

随机推荐

  1. YOLO-V4 实现口罩识别(附加数据、数据批量处理程序)

    一.YOLO-v4概念 如果想要了解和认识yolo-v4的基本概念,首先要提的就是它的基础版本yolo-v1,对于yolo来说,最经典的算是yolo-v3.如果想要了解它的由来和历史的话,可以自行搜索 ...

  2. Centos8部署jdk、mysql8、tomcat,并部署项目到tomcat中

    目录 Linux系统的学习与使用(Centos8) Linux系统的介绍 为什么要选择Linux作为服务器运行的操作系统 目录结构 使Linux系统能够联网(登录root用户) 常用命令 cd命令(用 ...

  3. 科普—为什么要用ECDSA加签及其数学上的验签证明

    在上文介绍了ECDSA算法流程及模块划分,为了帮助一些小白弄懂啥是ECDSA,特此开一篇科普博文. 一.首先为啥要进行数字签名? 假设Alice要将一份合同m传输给Bob,合同上附有Alice的电子纸 ...

  4. OceanBase三节点部署&&扩容

    OceanBase三节点部署&&扩容 环境信息搭建三节点(1-1-1)创建资源池和租户查看数据分布 环境信息 IP OB目录 端口 192.168.43.89 /data/observ ...

  5. Python正则表达式re库的初次使用入门

    正则表达式常用操作符: 操作符 说明 实例 . 表示任何单个字符,不包括换行符 [] 字符集,对单个字符给出取值范围 [abc]表示a.b.c,[a-z]表示a到z单个字符 [^ ] 非字符集 [^a ...

  6. Linux 中的虚拟网络接口

    独立博客地址:https://ryan4yin.space/posts/linux-virtual-network-interfaces/ 本文用到的字符画工具:vscode-asciiflow2 L ...

  7. moco模拟接口具体操作

    1.get请求 [ { "description": "模拟一个没有参数的get请求", "request": { "uri&qu ...

  8. vim编辑文件时[O]pen Read-Only, (E)dit anyway, (R)ecover, (D)elete it, (Q)uit, (A)bort:

    ​​ ​ ​ 出现这个问题是因为你上次编辑的时候在没有保存的情况下退出了(如:电脑关机等)也有可能是有其他人在和你同时进行编辑行为(不同会话中).这是因为在用vim编辑的时候,vim会在打开文件目录下 ...

  9. 【工作篇】了解升级 Spring 版本导致的跨域问题

    一.背景 最近需要统一升级 Spring 的版本,避免 common 包和各个项目间的 Spring 版本冲突问题.这次升级主要是从 Spring 4.1.9.RELEASE 升级到 Spring 4 ...

  10. MySQL自定义函数与存储过程的创建、使用、删除

    前言 日常开发中,可能会用到数据库的自定义函数/存储过程,本文记录MySQL对自定义函数与存储过程的创建.使用.删除的使用 通用语法 事实上,可以认为存储过程就是没有返回值的函数,创建/使用/删除都非 ...