Nat traversal, Id type and content, 7 nat traversal – ZyXEL Communications ZyXEL ZyWALL 2WE User Manual

ZyWALL 2 and ZyWALL 2WE

VPN/IPSec Setup

27-5

When there is outbound traffic with no inbound traffic, the ZyWALL automatically

drops the tunnel after two minutes.

27.7 NAT Traversal

NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec
routers.

Figure 27-3 NAT Router Between IPSec Routers

Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the
NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec
packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet’s header so it does not
match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the
VPN connection cannot be built.

NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router
forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port
500 header and responds. IPSec routers A and B build a VPN connection.

27.7.1 NAT Traversal Configuration

For NAT traversal to work you must:

Use ESP security protocol (in either transport or tunnel mode).

Use IKE keying mode.

Enable NAT traversal on both IPSec endpoints.

In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the
NAT router to forward UDP port 500 to IPSec router A.

27.8 ID Type and Content

With aggressive negotiation mode (see section 27.10.1), the ZyWALL identifies incoming SAs by ID type
and content since this identifying information is not encrypted. This enables the ZyWALL to distinguish
between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP