The IPSec NAT Transparency feature deals with the many known
incompatibilities among NAT and IPSec. Before IPSec NAT Transparency, a standard
IPSec VPN tunnel would fail if one or more devices were implementing NAT or PAT
anywhere in the delivery path. The various forms of this feature make NAT
IPSec-aware, making it possible for remote access users to use secure IPSec
tunnels to home gateways.
The Configuration | System | Tunneling Protocols | IPSec | NAT
Transparency screen, shown in Figure 16-12, makes configuring NAT Transparency
possible. NAT transparency can take any of the three following forms:
The VPN Concentrator series of devices can
simultaneously support VPN tunnels using standard IPSec, IPSec over TCP,
NAT-Traversal, and IPSec over UDP, depending on the requirements of the client
with which it’s exchanging data. The VPN 3002 hardware
client, while supporting only one tunnel at a time, can also connect VPN
tunnels using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP.
The order of precedence is as follows:
When enabled, IPSec over TCP takes precedence over all other
When both NAT-T and IPSec over UDP are enabled, NAT-T takes
Figure 16-13 shows the VPN Client software
properties screen used to set the features. If TCP is selected, the port number
box would be enabled.