Passing IPSec traffic through any NAT device such as a router (or a separate firewall in front of the VPN gateway / client) can be difficult.
IPsec normally uses Protocol 50, which embeds IP addresses within the data packets. Standard NAT doesn't change these addresses and the recipient VPN gateway receives VPN packets containing private (nonroutable) IP addresses. In this situation, the VPN can't work.
NAT rewrites IP addresses and manages the connections going through the NAT device by mapping outgoing connections to a specific port. The IPSec protocols used for data transfer do not have ports, and this causes problems with traversing NAT firewalls.
Solution
Smoothwall firewall supports IPSec NAT Traversal (NAT-T) mode. NAT-T uses UDP Protocol instead of Protocol 50 (ESP) or protocol 51 (AH) for IPSec VPN traffic UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel can support NAT-T.
- The Smoothwall VPN does.
- We have also tested NAT-T with Shrew Soft VPN Client, NCP VPN Client, The GreenBow VPN client, IP Securitas and others.
- SSH Sentinel supports this mode, as do the vast majority of other modern VPN gateway devices.
To operate an IPSec VPN client on a user computer in the local protected network behind a Smoothwall through to another vendors, VPN gateway requires that the IPSec client must operate in NAT-T mode rather than use protocol 50 (ESP) or 51 (AH) for the reason stated above. NAT traversal is a VPN gateway feature, not a NAT feature.