VPN and NAT
VPN with home/small office routers doing NAT can work with one of the following approaches:
1) Home router supporting VPN pass-through. In this case, router keeps track of tunnels originating from LAN and maps incoming ESP traffic to the same local VPN client. In this way, it avoids doing PAT for VPN traffic as ESP does not use ports like TCP or UDP.
2) VPN client and gateway supporting NAT traversal. In this case, both client and gateway are NAT-aware and encapsulate VPN packets inside UDP for the router to perform normal PAT. Client and gateway then strip off the UDP header and process the remaining packet.
By default Mac OS X VPN uses transport mode with ESP, hence integrity checksum and encryption matches on client and server regardless of the change in IP address made by the NAT device
1) Home router supporting VPN pass-through. In this case, router keeps track of tunnels originating from LAN and maps incoming ESP traffic to the same local VPN client. In this way, it avoids doing PAT for VPN traffic as ESP does not use ports like TCP or UDP.
2) VPN client and gateway supporting NAT traversal. In this case, both client and gateway are NAT-aware and encapsulate VPN packets inside UDP for the router to perform normal PAT. Client and gateway then strip off the UDP header and process the remaining packet.
By default Mac OS X VPN uses transport mode with ESP, hence integrity checksum and encryption matches on client and server regardless of the change in IP address made by the NAT device
posted by Usman Wahid at
10:43 AM
0 Comments:
Post a Comment
<< Home