Filter
Top Products
Chapter 15 IPSec VPN
NBG-460N User’s Guide
223
Step 3: The NBG-460N authenticates the remote IPSec router and confirms that
the IKE SA is established.
Aggressive mode does not provide as much security as main mode because the
identity of the NBG-460N and the identity of the remote IPSec router are not
encrypted. It is usually used when the address of the initiator is not known by the
responder and both parties want to use pre-shared keys for authentication (for
example, telecommuters).
15.6.6 VPN, NAT, and NAT Traversal
In the following example, there is another router (A) between router X and router
Y.
Figure 140 VPN/NAT Example
If router A does NAT, it might change the IP addresses, port numbers, or both. If
router X and router Y try to establish a VPN tunnel, the authentication fails
because it depends on this information. The routers cannot establish a VPN tunnel.
Most routers like router A now have an IPSec pass-through feature. This feature
helps router A recognize VPN packets and route them appropriately. If router A
has this feature, router X and router Y can establish a VPN tunnel as long as the
IPSec protocol is ESP. (See IPSec Protocol on page 224 for more information
about active protocols.)
If router A does not have an IPSec pass-through or if the IPSec protocol is AH,
you can solve this problem by enabling NAT traversal. In NAT traversal, router X
and router Y add an extra header to the IKE SA and IPSec SA packets. If you
configure router A to forward these packets unchanged, router X and router Y can
establish a VPN tunnel.
You have to do the following things to set up NAT traversal.
• Enable NAT traversal on the NBG-460N and remote IPSec router.
• Configure the NAT router to forward packets with the extra header unchanged.
The extra header may be UDP port 500 or UDP port 4500, depending on the
standard(s) the NBG-460N and remote IPSec router support.