1. Manuals
  2. Brands
  3. LevelOne Manuals
  4. Network Router
  5. GBR-4001
  6. User manual

LevelOne GBR-4001 User Manual page 144

4-wan gigabit broadband vpn router
Hide thumbs
Table of Contents

Advertisement

In the WEB UI mode, you can enable the DPD function by selecting the "DPD" option, and
determine the test cycle by configuring "heartbeat" in the "Advanced options" of VPN
configuration—>IPSec.
12.2.1.3 IPSec NAT traversal
Due to historical reasons, one of the problems in deploying an IPSec VPN network in the NAT
mode lies in the impossibility to locate the IPSec peers after network address translation (NAT).
Internet service providers and Small Office/Home Office (SOHO) networks typically use NAT to
share a single public IP address. Although NAT helps to save the remaining IP address space, but
they also bring troubles to the end-to-end protocols such as IPSec.
One of the main reasons for IPSec disruption caused by NAT is that, for "Encapsulating Security
Protocol (ESP)", the NAT devices cannot identify the location (because it has been encrypted) of
the Layer 4 header for port translation (the 4th layer). For the "Authentication header (AH)"
protocol, the NAT devices can modify the port number, but cannot modify the authentication
check, so the authentication check of the entire IPSec packet will fail.
A new technology known as IPSec NAT Traversal (NAT-T) is under standardization by the IPSec
network of the Internet Engineering Task Force.
In the IPSec negotiation process, the two peers can be determined automatically according to the
following two conditions to support IPSec NAT-T:
One party (usually a client computer) to initiate the IPSec session and one party to respond to
the IPSec session (usually a server) can perform IPSec NAT-T or not.
Any NAT exists in the path between them.
If both of these conditions are true, then both parties will use IPSec NAT-T to send the
IPSec-protected traffic through NAT. If one party does not support IPSec NAT-T, then the IPSec
negotiation and IPSec protection are to be performed (after the first two messages). If both parties
support IPSec NAT-T, but there is no NAT between them, then the normal IPSec protection is to
be performed.
Tip: IPSec NAT-T is only defined for ESP traffic, but AH traffic cannot pass through NAT
devices.
The device can use the NAT traversal (NAT-T) function. In the first-phase exchange, NAT-T will
add a layer of UDP encapsulation (UDP4500 port is usually used) when it discovers by detecting
along the data path that there is one or more NAT devices, and passes through the NAT device.
In the WEB UI mode, the NAT traversal feature can be enabled by selecting "NAT traversal"
option in the "Advanced options" of VPN configuration ->IPSec.
http://www.level1.com
Chapter 12 VPN
Page 139

Advertisement

Table of Contents
loading

Related Manuals for LevelOne GBR-4001

Related Products for LevelOne GBR-4001

Table of Contents