Filter
Top Products
Page 4 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
Background: NAT-T and policies
NAT-T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows
IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur
with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site
that is behind a NAT gateway.
NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT
gateway, such as some ADSL devices. Note that AR44xS series routers provide an ADSL
interface, which removes the need for a separate ADSL device. Therefore, the examples in
this How To Note do not include NAT-T for the site-to-site VPNs.
The following figure shows how the addresses in the IPsec headers change as a packet from a
roaming client traverses NAT gateways in the VPN pathway. The figure illustrates IPsec
transport mode with L2TP.
NAT gateway
Dest Addr
IP
PPP
L2TP
IPsec
IP
ETH
Source Addr
192.168.143.1
N/A
N/A
N/A
192.168.200.1
192.168.140.27
N/A
N/A
N/A
200.200.200.1
N/A N/A
Encrypted
192.168.200.1
roaming VPN
client
192.168.200.254
211.211.211.1
hotel
Dest Addr
IP
PPP
L2TP
IPsec
IP
ETH
Source Addr
192.168.143.1
N/A
N/A
N/A
211.211.211.1
192.168.140.27
N/A
N/A
N/A
200.200.200.1
N/A N/A
Encrypted
Internet
headquarters
VPN access
concentrator
Dest Addr
IP
ETH
Source Addr
192.168.143.1
N/A
192.168.140.27
N/A
200.200.200.1
192.168.140.254
192.168.140.27
hotel
headquarters
vpn-nat-t.eps