Nat Traversal; Figure 14-3 Nat Router Between Ipsec Routers - ZyXEL Communications Internet Security Gateway ZyWALL 2 Series User Manual
Internet security gateway
Hide thumbs
Also See for Internet Security Gateway ZyWALL 2 Series:
- User manual (686 pages) ,
- Quick start manual (137 pages) ,
- Firmware release notes (43 pages)
Table of Contents
Advertisement
ZyWALL 2 Series User's Guide
When there is outbound traffic with no inbound traffic, the ZyWALL automatically
14.7 NAT Traversal
NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A
and B.
Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the
NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec
packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet's header so it does not
match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the
VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router
forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port
500 header and responds. IPSec routers A and B build a VPN connection.
14.7.1 NAT Traversal Configuration
For NAT traversal to work you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the
NAT router to forward UDP port 500 to IPSec router A.
14-6
drops the tunnel after two minutes.
Figure 14-3 NAT Router Between IPSec Routers
VPN Screens
Advertisement
Table of Contents
