Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
541542543544545546547548549550
7-26
Virtual Private Networks
IPsec Concepts
Figure 7-8. NAT Traversal
How NAT Traversal Works
NAT-T uses UDP encapsulation to address this incompatibility between NAT
and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header.
The NAT device changes the address in this header without tampering with
the IPsec packet.
Peers agree to use NAT-T during IKE negotiations by exchanging a predeter-
mined, known value that indicates that they support NAT-T. When the peers
exchange the Diffie-Hellman values, they also send NAT Discovery (NAT-D)
packets that include hashes of their source and destination IP addresses and
ports. Because one peer’s source IP address should be the other’s destination
address and vice versa, the hashes should match. If they do not, the peers
know that somewhere between the two peers, an address was translated by
NAT.
If the peers discover that NAT has been used, they encapsulate packets in the
UDP/IP header. The peer behind the NAT device should also use a one-byte
UDP packet that ensures that it keeps the same NAT assignment for the
duration of the VPN tunnel.