Filter
Top Products
67
IPSec NAT Traversal
10/100 4-Port VPN Router
Appendix D
Appendix D:
IPSec NAT Traversal
Overview
Network Address Translation (NAT) traversal is a technique
developed so that data protected by IPSec can pass
through a NAT. (See NAT 1 and NAT 2 in the diagram.)
Since IPSec provides integrity for the entire IP datagram,
any changes to the IP addressing will invalidate the data.
To resolve this issue, NAT traversal appends a new IP and
UDP header to the incoming datagram, ensuring that no
changes are made to the incoming datagram stream.
This chapter discusses two scenarios. In the first scenario,
Router A initiates IKE negotiation, while in the second
scenario, Router B initiates IKE negotiation. In the second
scenario, since the IKE responder is behind a NAT device, a
one-to-one NAT rule is required on the NAT device.
Before You Begin
The following is a list of equipment you need:
Two 4-Port SSL/IPSec VPN Routers (model number: •
RVL200), one of which is connected to the Internet
Two 10/100 4-Port VPN Routers (model number: •
RV042), one of which is connected to the Internet
Configuration of Scenario 1
In this scenario, Router A is the RVL200 Initiator, while
Router B is the RVL200 Responder.
192.168.2.100
192.168.1.101
WAN: 192.168.99.22
Router B - RVL200
Responder
LAN: 192.168.2.0/24
WAN: 192.168.99.11
NAT 2 - RV042
LAN: 192.168.111.1
WAN: 192.168.111.101
NAT 1 - RV042
LAN: 192.168.11.1
WAN: 192.168.11.101
Router A - RVL200 Initiator
LAN: 192.168.1.0/24
Traffic in Scenario 1
NOTE: Both the IPSec initiator and responder
must support the mechanism for detecting the
NAT router in the path and changing to a new
port, as defined in RFC 3947.
Configuration of Router A
Follow these instructions for Router A.
Launch the web browser for a networked computer, 1.
designated PC 1.
Access the web-based utility of Router A. (Refer to the 2.
User Guide of the RVL200 for details.)
Click the3. IPSec VPN tab.
Click the 4. Gateway to Gateway tab.
Enter a name in the 5. Tunnel Name field.
For the VPN Tunnel setting, select 6. Enable.