Network Address Translation; Network Access Control; Interoperability - Alcatel-Lucent OmniAccess 700 Cli Configuration Manual

Left running head:
Chapter name (automatic)
IP Security - Virtual Private Network
Note: It is recommended to use Diffie-Hellmann PFS Group 5.
•
group1: Use Diffie-Hellman Group 1: 768 bits
•
group2: Use Diffie-Hellman Group 2: 1024 bits
•
group5: Use Diffie-Hellman Group 5: 1536 bits
N A
ETWORK DDRESS
NAT can occur after or before IPsec. NAT interferes with IPsec by blocking tunnel
establishment or traffic flow through the tunnel due to change in IP headers. It is a
best practice to avoid application of NAT and IPsec traffic on the same interface. If
they are applied on the same interface until and unless it is absolutely necessary,
appropriate NAT bypass must be configured.
Generally NAT and IPsec are applied on same interface (public). From a
performance perspective, this is not a good conjunction. Hence the OA-700
allows you to use the bypass command, to bypass all the NAT traffic and allow
only the IPsec traffic. This can be achieved in the following ways.
Note: The match-list used in IPsec should be applied as bypass rule in NAT with higher
priority as compared to the match-list specifying traffic for which NAT is intended.
N A C
ETWORK CCESS
Filtering inbound traffic is recommended to allow only IKE and ESP on the
particular interface from where the IPsec tunnels is initiated.
I
NTEROPERABILITY
Although IPsec is a documented standard, it has still left a room for interpretation.
In addition, Internet Drafts such as IKE mode-configuration and vendor proprietary
features increase the likelihood of interoperability challenges. For these reasons,
check should be made with the vendor of the products for interoperability
informations.
798
Beta
T
RANSLATION
ONTROL
Alcatel-Lucent
CLI Configuration Guide
Beta