TMS zl Management and Configuration Guide ST.1.0.090213

7-19

Virtual Private Networks

IPsec VPNs

The VPN tunnel endpoints must trust the CAs that sign each other’s certifi-

cates.

The TMS zl Module supports X.509 certificates in Distinguished Encoding

Rules (DER) or Privacy Enhanced Mail (PEM) format. For the public/private

keypair, it supports DSA and RSA.

You can import certificates to the TMS zl Module manually, or you can obtain

them automatically using Simple Certificate Enrollment Protocol (SCEP).

NAT Traversal

VPN users may be behind a device that performs NAT on packets that are

destined for the other end of the VPN tunnel. If NAT is performed on packets

before they are encrypted, then the packets pass over the VPN connection

without difficulty.

However, sometimes a device in between the two endpoints of a VPN tunnel

performs NAT on packets that have already been encapsulated for the tunnel.

As a result of this alteration, packets will fail integrity checks during IKE. In

this case, NAT Traversal (NAT-T) is required to notify the tunnel endpoints

that the IP addresses will be altered.

Figure 7-8 shows an environment that requires NAT-T. In this example, you

have configured a VPN to allow remote users to access devices in ZONE1

(VLAN 30) securely over the Internet. The remote client is behind a NAT

device, so NAT-T is required. (This example would also apply if the module or

both the module and the client were behind NAT devices.)

The TMS zl Module automatically establishes NAT-T when required (you do

not need to configure any settings). Note, however, that you must create

firewall access policies that allow NAT-T traffic in addition to other access

policies required for the VPN. See “Configure Firewall Access Policies for Your

VPN” on page 7-112.

Note For a VPN established with manual keying, NAT-T is not required even when

one or both of the tunnel endpoints have NAT performed on their traffic.