An explanation of NAT Traversal and passing IPSec through Firewalls
Passing IPSec traffic through any NAT device such as a router (or a separate firewall in front of the VPN gateway / client) can be difficult.
NAT rewrites IP addresses and manages the connections going through the NAT device by mapping outgoing connections to a specific port. The IPSec protocols used for data transfer do not have ports, and this causes problems with traversing NAT firewalls.
Smoothwall firewall supports IPSec NAT Traversal (NAT-T) mode. NAT-T uses UDP Protocol instead of Protocol
50 (ESP) or protocol
51 (AH) for IPSec VPN traffic — UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel can support NAT-T. The Smoothwall VPN does, and we have also tested NAT-T with Shrew Soft VPN Client, NCP VPN Client, The GreenBow VPN client, IP Securitas and others.
To operate an IPSec VPN client on a user computer in the local protected network behind a Smoothwall through to another vendors, VPN gateway requires that the IPSec client must operate in NAT-T mode rather than use protocol
50 (ESP) or
51 (AH) for the reason stated above.
|Last updated:||Author:||Contributions by:|
|07 September 2016||Tanja|