Summary
An explanation of NAT Traversal and passing IPSec through Firewalls
Problem
Passing IPSec traffic through any NAT device such as a router (or a separate firewall in front of the VPN gateway / client) can be difficult.
NAT rewrites IP addresses and manages the connections going through the NAT device by mapping outgoing connections to a specific port. The IPSec protocols used for data transfer do not have ports, and this causes problems with traversing NAT firewalls.
Solution
Smoothwall firewall supports IPSec NAT Traversal (NAT-T) mode. NAT-T uses UDP Protocol instead of Protocol 50
(ESP) or protocol 51
(AH) for IPSec VPN traffic UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel can support NAT-T. The Smoothwall VPN does, and we have also tested NAT-T with Shrew Soft VPN Client, NCP VPN Client, The GreenBow VPN client, IP Securitas and others.
To operate an IPSec VPN client on a user computer in the local protected network behind a Smoothwall through to another vendors, VPN gateway requires that the IPSec client must operate in NAT-T mode rather than use protocol 50
(ESP) or 51
(AH) for the reason stated above.