IP Security - Virtual Private Network
Left running head:
Chapter name (automatic)
868
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
IPSEC NAT-TRAVERSAL
NAT can occur before or after IPsec. If NAT occurs before the IPsec packet is
encrypted, NAT and IPsec can work together. If the packet is encrypted before
being sent to NAT, the address is changed by NAT. Since the packet is modified, it
fails the integrity check at the receiving end. The packet is discarded and the VPN
tunnel cannot be created. In such a scenario, NAT and IPsec cannot be applied
on the same interface.
NAT-Traversal (NAT-T) was created to enable IPsec VPNs to work with NAT. It
makes it easier to deploy NAT and IPsec together by resolving these issues. NAT-
T uses UDP (User Datagram Protocol) encapsulation. This enables NAT devices
to change IP or port addresses without modifying the IPsec packet.Additionally, to
prevent an IKE-aware NAT from modifying IKE packets, IPsec NAT-T peers
change the IKE UDP port of 500 to the UDP port 4500 during IKE negotiation.
There is no configuration required as NAT-T is detected automatically by VPN
devices. Both the VPN devices must be NAT-T capable.
Note: IPsec NAT-T is only defined for ESP (Encapsulating Security Payload) traffic.
T
O ENABLE/DISABLE NAT TRAVERSAL
EXAMPLE
ALU(config)# crypto nat-traversal disable
Command (in CM) Description
crypto nat-traversal
{enable|disable}
This command is used to enable or disable
NAT traversal for IPsec on the
OmniAccess 5740 USG.
By default, NAT Traversal is enabled.
To Next Page
Loading...
