Nat Traversal; Figure 16-3 Nat Router Between Ipsec Routers - ZyXEL Communications Prestige 652H series User Manual

Prestige 652H/HW Series User's Guide
If the Prestige has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep
alive enabled, then no other tunnels can take a turn connecting to the Prestige because the Prestige never
drops the tunnels that are already connected. Check section 1.2 Features of the Prestige in chapter 1 to see
how many simultaneous IPSec SAs your Prestige model can support.
When there is outbound traffic with no inbound traffic, the Prestige automatically

16.7 NAT Traversal

NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec
routers.
Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the
NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec
packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet's header so it does not
match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the
VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router
forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port
500 header and responds. IPSec routers A and B build a VPN connection.
16.7.1 NAT Traversal Configuration
For NAT traversal to work you must:
Use ESP security protocol (in either transport or tunnel mode).
Use IKE keying mode.
Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the
NAT router to forward UDP port 500 to IPSec router A.
16-6
drops the tunnel after two minutes.

Figure 16-3 NAT Router Between IPSec Routers

VPN Screens