Support User Manuals

ZyXEL Communications VMG5313-B10A/ VMG5313-B30A IP Phone User Manual

Open as PDF

of 398

Chapter 22 VPN

VMG5313-B10A/-B30A Series User’s Guide

263

Figure 136 NAT Router Between IPSec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because

the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding

a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP

port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA,

IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.

For NAT traversal to work, you must:

• Use ESP security protocol (in either transport or tunnel mode).

•Use IKE keying mode.

• Enable NAT traversal on both IPSec endpoints.

• Set the NAT router to forward UDP port 500 to IPSec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the

combination of the "original header plus original payload," which is unchanged by a NAT device. The

compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following

table.

Y* - This is supported in the VMG if you enable NAT traversal.

22.4.7 ID Type and Content

With aggressive negotiation mode (see Section 22.4.4 on page 261), the VMG identifies incoming

SAs by ID type and content since this identifying information is not encrypted. This enables the

VMG to distinguish between multiple rules for SAs that connect from remote IPSec routers that

have dynamic WAN IP addresses.

Regardless of the ID type and content configuration, the VMG does not allow you to save multiple

active rules with overlapping local and remote IP addresses.

With main mode (see Section 22.4.4 on page 261), the ID type and content are encrypted to

provide identity protection. In this case the VMG can only distinguish between up to 12 different

incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The

VMG can distinguish up to 48 incoming SAs because you can select between three encryption

algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key

groups when you configure a VPN rule (see Section Figure 129 on page 251). The ID type and

content act as an extra level of identification for incoming SAs.

Table 104 VPN and NAT

SECURITY PROTOCOL MODE NAT

AH Transport N

AH Tunnel N

ESP Transport Y*

ESP Tunnel Y

A

B

previous next