An explanation of NAT Traversal and passing IPSec through firewalls

Article #:

Product

Castle

1578

All

All

Summary

An explanation of NAT Traversal and passing IPSec through Firewalls

Problem

Passing IPSec traffic through any NAT device such as a router (or a separate firewall in front of the VPN gateway / client) can be difficult.

NAT rewrites IP addresses and manages the connections going through the NAT device by mapping outgoing connections to a specific port. The IPSec protocols used for data transfer do not have ports, and this causes problems with traversing NAT firewalls.

Solution

Smoothwall firewall supports IPSec NAT Traversal (NAT-T) mode. NAT-T uses UDP Protocol instead of Protocol 50 (ESP) or protocol 51 (AH) for IPSec VPN traffic — UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel can support NAT-T. The Smoothwall VPN does, and we have also tested NAT-T with Shrew Soft VPN Client, NCP VPN Client, The GreenBow VPN client, IP Securitas and others.

To operate an IPSec VPN client on a user computer in the local protected network behind a Smoothwall through to another vendors, VPN gateway requires that the IPSec client must operate in NAT-T mode rather than use protocol 50 (ESP) or 51 (AH) for the reason stated above.

Attribution:

Last updated:

Author:

Contributions by:

07 September 2016

 

Tanja

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.