Siemens RUGGEDCOM ROX II User Manual page 466

Chapter 12
Tunneling and VPNs
Parameter
type { type }
value { value }
7. Configure the Network Address Translation (NAT) traversal negotiation method by configuring the following
parameters:
NOTE
Using the RFC 3947 negotiation method over draft-ietf-ipsec-nat-t-ike-02 may cause issues when
connecting to the IPsec server, as RFC 3947 uses different identifiers when NAT is involved. For
example, when a Windows XP/2003 client connects, Libreswan reports the main mode peer ID
as ID_FQDN: '@example.com'. However, when a Vista, Windows 7 or other RFC 3947 compliant
client connects, Libreswan reports the main mode peer ID as ID_IPV4_ADDR: '192.168.1.1'. If
possible, use the draft-ietf-ipsec-nat-t-ike-02 method to avoid this issue.
Parameter
nat-traversal-negotiation { nat-traversal-
negotiation }
8. If required, configure a subnet for the connection end. For more information, refer to
"Adding an Address for a Private
Type commit and press Enter to save the changes, or type revert and press Enter to abort.
9.
Section 12.8.10
Managing Private Subnets
If the device is connected to an internal, private subnet, access to the subnet can be granted to the device at the
other end of the IPsec tunnel. Only the IP address and mask of the private subnet is required.
CONTENTS
• Section 12.8.10.1, "Configuring Private Subnets for Connection Ends"
• Section 12.8.10.2, "Viewing a List of Addresses for Private Subnets"
• Section 12.8.10.3, "Adding an Address for a Private Subnet"
• Section 12.8.10.4, "Deleting an Address for a Private Subnet"
420
Synopsis: { default, default-route, address }
Default: default
The next hop type. The default value is 'right side public-ip' unless overwritten by the
default connection setting.
Synopsis: A string 7 to 15 characters long
The IP address of the next hop that can be used to reach the destination network.
Synopsis: { default, draft-ietf-ipsec-nat-t-ike-02, rfc-3947 }
Default: default
The NAT traversal negotiation method. Some IPsec endpoints prefer RFC 3947 over
draft-ietf-ipsec-nat-t-ike-02 when connecting with Libreswan, as these implementations
use different identifiers when NAT is involved. For example, when a Windows XP/2003
client connects, Libreswan reports the main mode peer ID is ID_FQDN: '@example.com',
but when a Vista, Windows 7 or other RFC 3947 compliant client connects, Libreswan
reports the main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'. This will cause issues
connecting to the IPsec server. In such cases, setting this option to draft-ietf-ipsec-nat-
t-ike-02 will solve this problem. The default value is 'rfc-3947' unless overwritten by the
default connection setting.
Subnet".
Description
Description
Section 12.8.10.3,
Managing Private Subnets
RUGGEDCOM ROX II
CLI User Guide