|
There are many incompatibilities between NAT and IPSec.
For detailed information you may read the IETF Informational
RFC 3715 IPsec-NAT
Compatibility Requirements . So you will meet the following
problems when there is NAT devices between the VPN client
and VPN server:
1. The use of the IPSec AH protocol is not supported.
2. Only one outgoing IPSec VPN connection can be established at a time.
3. Can't create L2TP over IPSec VPN connection.
Note: About the 1st problem that can't use IPSec AH protocol,
the purpose of AH is to protect immutable fields within the
IP header (including IP addresses). However, a NAPT device
translates IP addresses, invalidating the AH integrity check.
As a result, NAPT and AH are fundamentally incompatible and
there is no requirement that an IPsec-NAT compatibility solution
has to support AH transport or tunnel mode.
For the 2nd and 3rd problems listed
above, recently the IETF has finally worked out a solution
called NAT Transversal (NAT-T), standarized in the RFC's 3947
and 3948. If you're going to use IPSec or L2TP over IPSec
between NAT endpoints, make sure your VPN client and VPN gateway
both support NAT-T.
Example 1: Creating L2TP over IPSec
connection
Example 2: Creating multiple
IPSec connections
Relative FAQs :
Does
Vigor support IPSec NAT Traversal?
When
NAT Traversal is needed?
|
|
|
Page last modified : 13 October 2008 |