Enabling Nat-Traversal (Nat-T) For A Client-To-Site Vpn - HP 7102dl - ProCurve Secure Router Configuration Manual
Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs
Also See for 7102dl - ProCurve Secure Router:
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
4.
Configure the high security IKE SA proposals in an attribute policy:
ProCurve(config-ike)# attribute 10
ProCurve(config-ike-attribute)# authentication dss-sig
ProCurve(config-ike-attribute)# encryption 3des
ProCurve(config-ike-attribute)# lifetime 240
ProCurve(config-ike-attribute)# group 2
5.
Configure a second set of IKE SA proposals for mobile users in a lower
priority (higher index) attribute policy:
ProCurve(config-ike-attribute)# attribute 20
ProCurve(config-ike-attribute)# authentication dss-sig
ProCurve(config-ike-attribute)# encryption des
ProCurve(config-ike-attribute)# hash md5
ProCurve(config-ike-attribute)# group 1
Enabling NAT-Traversal (NAT-T) for a Client-to-Site VPN
By default, the ProCurve Secure Router allows peers to request that a VPN
tunnel use NAT-T.
Remote VPN users may be behind a device that performs network address
translation (NAT) on packets destined to the Internet. When a packet passes
through a NAT device, the device changes the packet's IP address. If NAT is
performed on packets before they are encrypted, as in a site-to-site VPN
between two gateway devices, then the packets pass over the VPN connection
without difficulty. However, in a client-to-site VPN, client software encrypts
packets before the NAT device alters them. As a result of this alteration,
packets will fail the IPSec integrity check.
Some client software provides for this problem; however, other software
applications (such as those using the L2TP protocol) do not.
NAT-T uses UDP encapsulation to address the incompatibility between NAT
and IPSec. UDP encapsulates the IPSec packet in a UDP/IP header. The NAT
device changes the address in this header without tampering with the IPSec
packet.
Peers agree to use NAT-T during IKE negotiations by exchanging a pre-
determined, known value that indicates that they support NAT-T. When the
peers exchange the Diffie-Hellman values, they also send NAT Discovery
(NAT-D) packets that include hashes of their source and destination IP
addresses and ports. Because one peer's source IP address should be the
other's destination address, and vice versa, the hashes should match. If they
do not, the peers know that somewhere between the two an address was
translated.
Virtual Private Networks
Configuring a VPN Using IPSec
10-31
- Quick Links:
- Procurve Secure Router
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
