Background: Nat-T And Policies - Allied Telesis AlliedWare AR440S How To Configure

Background: NAT -T and policies
NAT -T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows
IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur
with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site
that is behind a NAT gateway.
NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT
gateway, such as some ADSL devices. Note that AR44xS series routers provide an ADSL
interface, which removes the need for a separate ADSL device. Therefore, the examples in
this How To Note do not include NAT-T for the site-to-site VPNs.
The following figure shows how the addresses in the IPsec headers change as a packet from a
roaming client traverses NAT gateways in the VPN pathway. The figure illustrates IPsec
transport mode with L2TP.
Page 4 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
roaming VPN
client
192.168.200.1
192.168.200.254
NAT gateway
211.211.211.1
hotel
Internet
headquarters
200.200.200.1
VPN access
concentrator
192.168.140.254
192.168.140.27
Source Addr
IP
192.168.143.1
PPP
N/A
Encrypted
L2TP
N/A
IPsec N/A
IP
192.168.200.1
ETH
N/A
Source Addr
IP
192.168.143.1
PPP
N/A
Encrypted
L2TP
N/A
IPsec
N/A
IP
211.211.211.1
ETH
N/A
headquarters
Source Addr
IP
192.168.143.1
ETH
N/A
hotel
Dest Addr
192.168.140.27
N/A
N/A
N/A
200.200.200.1
N/A
Dest Addr
192.168.140.27
N/A
N/A
N/A
200.200.200.1
N/A
Dest Addr
192.168.140.27
N/A
vpn-nat-t.eps