Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
461462463464465466467468469470
7-20
Virtual Private Networks
IPsec VPNs
Figure 7-8. NAT Traversal
How NAT Traversal Works. NAT-T uses UDP encapsulation to address this
incompatibility between NAT and L2TP over IPsec. UDP encapsulates the
IPsec packet in a UDP/IP header. The NAT device changes the address in this
header without tampering with the IPsec packet.
Peers agree to use NAT-T during IKE negotiations by exchanging a predeter-
mined, known value that indicates that they support NAT-T. When the peers
exchange the Diffie-Hellman values, they also send NAT Discovery (NAT-D)
packets that include hashes of their source and destination IP addresses and
ports. Because one peer’s source IP address should be the other’s destination
address and vice versa, the hashes should match. If they do not, the peers
know that somewhere between the two peers, an address was translated by
NAT.
If the peers discover that NAT has been used, they encapsulate packets in the
UDP/IP header. The peer behind the NAT device should also use a one-byte
UDP packet that ensures that it keeps the same NAT assignment for the
duration of the VPN tunnel.
The NAT-T feature on the TMS zl Module automatically detects one or more
NAT devices between IPsec hosts and negotiates the UDP encapsulation of
the IPsec packets through NAT.