Support User Manuals

ZyXEL Communications FMG3024-D10A IP Phone User Manual

Open as PDF

of 316

Chapter 17 VPN

FMG3024-D10A / FMG3025-D10A Series User’s Guide

178

Figure 91 NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because

the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding

a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP

port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA,

IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.

For NAT traversal to work, you must:

• Use ESP security protocol (in either transport or tunnel mode).

•Use IKE keying mode.

• Enable NAT traversal on both IPSec endpoints.

• Set the NAT router to forward UDP port 500 to IPSec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the

combination of the "original header plus original payload," which is unchanged by a NAT device. The

compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following

table.

Y* - This is supported in the Device if you enable NAT traversal.

17.3.7 ID Type and Content

With aggressive negotiation mode (see Section 17.3.4 on page 176), the Device identifies incoming

SAs by ID type and content since this identifying information is not encrypted. This enables the

Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that

have dynamic WAN IP addresses.

Regardless of the ID type and content configuration, the Device does not allow you to save multiple

active rules with overlapping local and remote IP addresses.

With main mode (see Section 17.3.4 on page 176), the ID type and content are encrypted to

provide identity protection. In this case the Device can distinguish between different incoming SAs

that connect from remote IPSec routers that have dynamic WAN IP addresses. The Device can

distinguish different incoming SAs and you can select between different encryption algorithms,

authentication algorithms and key groups when you configure a VPN rule. The ID type and content

act as an extra level of identification for incoming SAs.

Table 54 VPN and NAT

SECURITY PROTOCOL MODE NAT

AH Transport N

AH Tunnel N

ESP Transport Y*

ESP Tunnel Y

A

B

previous next