HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

201

202

203

204

205

206

207

208

209

210

4-26

Configuring a VPN on the HP TMS zl Module

IPsec VPNs

How NAT Traversal Works

NAT-T uses UDP encapsulation to address this incompatibility between NAT

and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header.

The NAT device changes the address in this header without tampering with

the IPsec packet.

Peers agree to use NAT-T during IKE negotiations by exchanging a predeter-

mined, known value that indicates that they support NAT-T. When the peers

exchange the Diffie-Hellman values, they also send NAT Discovery (NAT-D)

packets that include hashes of their source and destination IP addresses and

ports. Because one peer’s source IP address should be the other’s destination

address and vice versa, the hashes should match. If they do not, the peers

know that somewhere between the two peers, an address was translated by

NAT.

If the peers discover that NAT has been used, they encapsulate packets in the

UDP/IP header. The peer behind the NAT device should also use a one-byte

UDP packet that ensures that it keeps the same NAT assignment for the

duration of the VPN tunnel.

The NAT-T feature on the TMS zl Module automatically detects one or more

NAT devices between IPsec hosts and negotiates the UDP encapsulation of

the IPsec packets through NAT.

The TMS zl Module implements NAT-T under any of the following circum-

stances:

■ The remote endpoint or endpoints are behind one or more NAT devices.

■ TMS zl Module is behind a NAT device.

■ Both are behind a NAT device.

The TMS zl Module implements NAT-T in this way:

■ IKE packets are accepted from any port and responses are sent to the port

from which the packet came.

■ NAT-T negotiation is performed in accordance with RFC 4306.

■ UDP encapsulation of ESP packets and NAT keep-alives are supported in

accordance with RFC 3948.

Maximum Segment Size (MSS) for TCP Connections

As you learned, an IPsec header is added to packets sent over an IPsec VPN.

The IPsec header increases the size of the total packet and may make the

packet larger than the maximum transmission unit (MTU) of a router that lies