Table of Contents
Advertisement
13.7.1
NAT Traversal Configuration
For NAT traversal to work you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
In order for VPN switch A (see the figure) to receive an initiating IPSec packet from VPN switch
B, set the NAT router to forward UDP port 500 to VPN switch A.
ID Type and Content
13.8
With aggressive negotiation mode (see section 13.13.1), the Contivity 221 identifies incoming SAs
by ID type and content since this identifying information is not encrypted. This enables the
Contivity 221 to distinguish between multiple rules for SAs that connect from remote VPN
switches that have dynamic WAN IP addresses. Telecommuters can use separate passwords to
simultaneously connect to the Contivity 221 from VPN switches with dynamic IP addresses.
Regardless of the ID type and content configuration, the Contivity 221 does not
allow you to save multiple active rules with overlapping local and remote IP
With main mode (see section 13.13.1), the ID type and content are encrypted to provide identity
protection. In this case the Contivity 221 can only distinguish between up to eight different
incoming SAs that connect from remote VPN switches that have dynamic WAN IP addresses. The
Contivity 221 can distinguish up to eight incoming SAs because you can select between two
encryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and two
key groups (DH1 and DH2) when you configure a VPN rule (see section 13.14). The ID type and
content act as an extra level of identification for incoming SAs.
The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP
address, domain name, or e-mail address.
addresses.
Contivity 221 VPN Switch User's Guide
VPN Screens 13-9
Advertisement
Table of Contents
