Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
541542543544545546547548549550
7-24
Virtual Private Networks
IPsec Concepts
NAT Traversal
VPN users may be behind a device that performs NAT on packets that are
destined for the other end of the VPN tunnel. If NAT is performed on packets
before they are encrypted, then the packets pass over the VPN connection
without difficulty.
However, sometimes a device in between the two endpoints of a VPN tunnel
performs NAT on packets that have already been encapsulated for the tunnel.
As a result of this alteration, packets will fail integrity checks during IKE. In
this case, NAT Traversal (NAT-T) is required to notify the tunnel endpoints
that the IP addresses will be altered.
Figure 7-8 shows an environment that requires NAT-T. In this example, you
have configured a VPN to allow remote users to access devices in ZONE1
(VLAN 30) securely over the Internet. The remote client is behind a NAT
device, so NAT-T is required. (This example would also apply if the module or
both the module and the client were behind NAT devices.)
The TMS zl Module automatically establishes NAT-T when required (you do
not need to configure any settings). Note, however, that you must create
firewall access policies that allow NAT-T traffic in addition to other access
policies required for the VPN. This example shows only the firewall access
policies for NAT-T; you must create other policies to permit IKE traffic, L2TP
traffic, and traffic sent over the VPN.
Note For a VPN established with manual keying, NAT-T is not required even when
one or both of the tunnel endpoints have NAT performed on their traffic.