210 Chapter 13 VPN
Tunnel mode ESP with authentication is compatible with NAT because integrity
checks are performed over the combination of the original header plus original
payload, which is unchanged by a NAT device. Transport mode ESP with
authentication is not compatible with NAT, although NAT traversal provides a
way to use Transport mode ESP when there is a NAT router between the IPSec
endpoints (see
Table 48 VPN and NAT
Security Protocol
AH
AH
ESP
ESP
Secure Gateway Address
Secure Gateway Address is the WAN IP address or domain name of the remote
VPN switch (secure gateway). You can specify this for a VPN rule in the VPN
Branch Office Rule Setup screen (see
If the remote VPN switch has a static WAN IP address, enter it in the Secure
Gateway Address field. You can alternatively enter the remote VPN switch's
domain name (if it has one) in the Secure Gateway Address field.
You can also enter a remote VPN switch's domain name in the Secure Gateway
Address field if the remote VPN switch has a dynamic WAN IP address and is
using DDNS. The Business Secure Router has to rebuild the VPN tunnel each
time the remote VPN switch's WAN IP address changes (there can be a delay until
the DDNS servers are updated with the remote VPN switch's new WAN IP
address).
NN47922-500
"NAT Traversal" on page 215
Mode
NAT
Transport
N
Tunnel
N
Transport
N
Tunnel
Y
for details).
Figure 72 on page
223).