Filter
Top Products
Chapter 15 Advanced security features
220
The Translation column must be blank — no IP translation is performed. The pass-
through setting is not important in this case (it cannot be applied).
2. One IPSec client in the local network (one tunnel)
If only one IPSec tunnel from the local network to the Internet is created at one
moment, then it depends on the type of IPSec client:
• If IPSec client and the IPSec server support the NAT Traversal function (the client
and the server are able to detect that the IP address is translated on the way
between them), IPSec must be disabled (otherwise a collision might arise).
NAT Traversal is supported for example by Nortel Networks’ VPN software
(
http://www.nortelnetworks.com/).
• If the IPSec client does not support NAT Traversal, it is necessary to enable IPSec
pass-through in WinRoute.
In both cases, IPSec communication between the client and the IPSec server must be
permitted by a traffic rule. NAT must be defined in the Translation column (in the
same way as for the communication from the local network to the Internet).
Figure 15.8 Traffic rule for one IPSec client in the local network
3. Multiple IPSec clients in the local network (multiple tunnels)
If multiple IPSec tunnels from the local network to the Internet are supposed to be
created, all IPSec clients and corresponding servers must support NAT Traversal
(see above). Support for IPSec in WinRoute must be disabled so that no collisions
arise.
Again, traffic between the local network and corresponding IPSec servers must be
permitted by a traffic rule.
Figure 15.9 Traffic rule for multiple IPSec clients in the local network