I am looking for a way to identify NAT-T traffic on an IPSEC connection and define a custom app for it. To identify the IKE control plane traffic we would be looking for a 4 zero-valued bytes pattern at IP offset 28 on UDP 4500 traffic.
It seems the 00 00 00 00 is the only consistent pattern in the traffic stream. Can RegEx be used to create a 7 byte pattern match?
The reason for the custom app is to limit NAT-T traffic to a VPN termination point that is being overrun with requests when there is client side misconfiguration.
There is already an out of box App-ID for IPSEC NAT Traversal..."ipsec-esp-udp". If the App-ID engine is already detecting this traffic as this App-ID, then you can not write a custom signature for it because there is no exposed decoder for this protocol.
If the firewall is detecting the traffic as "unknown-UDP" then there would be an opportunity to possibly use a custom App-ID.
While you can use regex in an App-ID signature, you still need a 7-byte anchor.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!