IPSec over NAT-T

IPSec over NAT-T

To use NAT-T, both the VPN Client and the VPN hardware device must meet the following requirements:

• Run version 3.6 or later software.

• Port 4500 on any firewall and routers between the VPN device and the VPN peer must be open.

• Reconfigure any existing IPSec over UDP using port 4500 to a different port.

• Use the Configuration | Interfaces | Public (3002) or Configuration | Interfaces | Ethernet (Concentrators) screen to select the second or third options for the Fragmentation Policy parameter. These options let traffic travel across NAT devices that don’t support IP fragmentation, while not impeding NAT devices that do support IP fragmentation.

• On the Concentrator, use the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen, as shown in the previous Figure 16-12, to check the IPSec over NAT-T box to enable the feature.

• In LAN-to-LAN implementations, to enable IPSec over NAT-T on the VPN Concentrator, use the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add screen to check the IPSec NAT-T box. The previous Figure 16-9 showed the check box.

VPN Concentrator implementations of NAT-T support IPSec peers behind a single NAT/PAT device, under the following limitations:

• One LAN-to-LAN connection

• Either a single LAN-to-LAN connection or multiple remote access clients, but not a mixture of both

• One Microsoft L2TP/IPSec client, which can support other remote access clients and one L2TP/IPSec client