The IPSec NAT Transparency feature deals with the many known incompatibilities among NAT and IPSec. Before IPSec NAT Transparency, a standard IPSec VPN tunnel would fail if one or more devices were implementing NAT or PAT anywhere in the delivery path. The various forms of this feature make NAT IPSec-aware, making it possible for remote access users to use secure IPSec tunnels to home gateways.
The Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen, shown in Figure 16-12, makes configuring NAT Transparency possible. NAT transparency can take any of the three following forms:
IPSec over TCP
IPSec over NAT Traversal (NAT-T)
IPSec over UDP
Figure 16-12: Configuring IPSec NAT Transparency
The VPN Concentrator series of devices can simultaneously support VPN tunnels using standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the requirements of the client with which it’s exchanging data. The VPN 3002 hardware client, while supporting only one tunnel at a time, can also connect VPN tunnels using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP. The order of precedence is as follows:
When enabled, IPSec over TCP takes precedence over all other IPSec implementations.
When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.
Figure 16-13 shows the VPN Client software properties screen used to set the features. If TCP is selected, the port number box would be enabled.
IPSec over TCP allows VPN clients to operate in networks where standard ESP (Protocol 50) or IKE (UDP 500) can’t operate because the ports are blocked or they can only function by modifying the existing firewall rules. IPSec over TCP enables secure tunneling through both NAT and PAT devices, as well as firewalls by encapsulating both the IKE and IPSec protocols within TCP packets.
IPSec over TCP is a client-to-Concentrator feature, which supports both the VPN software client and the VPN 3002 hardware client. It doesn’t work for LAN-to-LAN connections. IPSec over TCP works only on the public interface of the VPN devices. To use IPSec over TCP, both the VPN Concentrator and the client must do the following:
Run version 3.5 or later of the VPN software.
Enable IPSec over TCP.
Configure both the VPN client and the VPN Concentrator to use the same port for IPSec over TCP.
IPSec over TCP doesn’t work with proxy-based firewalls.
Use the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen shown in the previous Figure 16-12:
Check the IPSec over TCP box to enable the feature.
Configure up to ten TCP ports, using a comma to separate the ports. Each client configuration must include at least one of the ports you set for the VPN Concentrator. The default port is 10,000. Technically, the range is 1 to 65,635, but ports 0–1,023 were assigned. Other frequently used port numbers exist above that as well. Avoid these numbers to avoid conflicts with the other applications.
The VPN client software or client device must be configured to support the feature (IPSec over TCP (NAT/PAT) Tunnel Encapsulation mode) and selected TCP port number.
IPSec over TCP is a TCP encapsulation, rather than a true full TCP connection. In VPN software versions prior to 3.6.7.B, the VPN Concentrator didn’t implement window size to limit data transmission, resulting in stateful firewalls that sometimes shut down the TCP session. With version 3.6.7.B and later, the VPN Concentrator enforces a 64K window size on the connection to avoid this connection shutdown.The downside is this: with some large data transfers, packet loss is possible. Because the VPN Concentrator doesn’t retransmit dropped packets, the peer application must detect the dropping and recover from it. UDP streaming applications, such as video or voice, might notice choppy transmission.
NAT Traversal (NAT-T) allows IPSec peers to establish a connection through a device using NAT. NAT-T accomplishes this by encapsulating IPSec traffic in UDP datagrams, thereby providing NAT devices with needed port information. NAT-T technology autodetects any NAT devices and only encapsulates IPSec traffic when necessary.
The VPN 3002 hardware client uses NAT-T by default and requires no special configuration. The remote-access VPN client first attempts NAT-T, and then, if a NAT device is not autodetected, uses IPSec over UDP. The UDP packets allow IPSec traffic to pass through firewalls that would normally reject and discard it.
To use NAT-T, both the VPN Client and the VPN hardware device must meet the following requirements:
Run version 3.6 or later software.
Port 4500 on any firewall and routers between the VPN device and the VPN peer must be open.
Reconfigure any existing IPSec over UDP using port 4500 to a different port.
Use the Configuration | Interfaces | Public (3002) or Configuration | Interfaces | Ethernet (Concentrators) screen to select the second or third options for the Fragmentation Policy parameter. These options let traffic travel across NAT devices that don’t support IP fragmentation, while not impeding NAT devices that do support IP fragmentation.
On the Concentrator, use the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen, as shown in the previous Figure 16-12, to check the IPSec over NAT-T box to enable the feature.
In LAN-to-LAN implementations, to enable IPSec over NAT-T on the VPN Concentrator, use the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add screen to check the IPSec NAT-T box. The previous Figure 16-9 showed the check box.
VPN Concentrator implementations of NAT-T support IPSec peers behind a single NAT/PAT device, under the following limitations:
One LAN-to-LAN connection
Either a single LAN-to-LAN connection or multiple remote access clients, but not a mixture of both
One Microsoft L2TP/IPSec client, which can support other remote access clients and one L2TP/IPSec client
The VPN client supports UDP NAT/Firewall Transparent IPSec. This technology encapsulates encrypted data traffic within UDP packets to provide secure connections between a VPN client and a VPN Concentrator through a device, such as a firewall performing NAT.
The VPN 3002 uses frequent keepalives to ensure the mappings on the NAT device remain active. The VPN 3002 doesn’t require special configuration for this feature, but the following minimum requirements must be met:
Both the VPN client and the VPN Concentrator must be running Release 3.0.3 or higher.
IPSec over UDP must be enabled on the VPN Concentrator for the group to which the VPN client belongs. Figure 16-14 shows the Configuration | User Management | Base Group screen used to make the feature a default. If the feature isn’t on by default, the Configuration | User Management | Group screen could be used for a specific group.
Figure 16-14: Configuring IPSec over UDP on the Concentrator