UTT Technologies
Chapter 10 VPN
http://www.uttglobal.com
Page
18918918
On the UTT VPN gateway, the IPSec tunnel MTU is 1400 bytes by default. In most
cases, please leave the default value because it can meet most application needs.
9.5.1.10 IPSec NAT Traversal
Network Address Translation (NAT) is a technology that allows multiple hosts on a private
network to share a single or a small group of public IP addresses. Undoubtedly, NAT can
help conserve the remaining IP address space and provide the benefit of network security
assurance; however, it has introduced problems for end-to-end protocols like IPSec. NAT
is incompatible with IPSec, which is one of the most popular VPN technologies.
Why doesn’t NAT work with IPSec? One main reason is that NAT devices modify the IP
header of a packet, this causes an AH-protected packet to fail checksum validation; and
they cannot modify the ports in the encrypted TCP header of an ESP-protected packet.
The solution is IPSec NAT Traversal, or NAT-T.
The IPSec working group of the IEEE has created standards for NAT-T that are defined in
RFC 3947 (Negotiation of NAT-Traversal in the IKE) and RFC 3948 (UDP Encapsulation
of IPsec ESP Packets). IPSec NAT-T is designed to solve the problems inherent in using
IPSec with NAT.
During IKE phase 1 negotiation, the two IPSec NAT-T-capable endpoints can
automatically determine:
•
Whether both of the IPSec endpoints can perform IPSec NAT-T.
•
If there are any NAT devices along the path between them.
If both of these two conditions are true, the two endpoints will automatically use IPSec
NAT-T to send IPSec protected packets. If either endpoint doesn’t support IPSec NAT-T,
they will perform normal IPSec negotiations (beyond the first two messages) and IPSec
protection. If both endpoints support IPSec NAT-T, but there is no NAT device between
them, they will perform normal IPSec protection.
Note
IPSec NAT-T is only defined for ESP traffic. AH traffic cannot traverse NAT devices,
therefore, do not use AH if any NAT device is present on your network.
The UTT VPN gateway supports IPSec NAT-T feature. With NAT-T, the UTT VPN gateway
will add a UDP header to the ESP-protected packets after detecting one of more NAT
devices along the data path during IKE phase 1 negotiation. This new UDP header sits
between the ESP header and the outer IP header, and usually uses UDP port 4500.
In the Web UI, you can go to the
VPN > IPSec > IPSec Settings
page to click the
Advanced
Options
hyperlink to select the
Enable NAT-traversal
check box to enable IPSec NAT-T feature (section
6.1.2.2).