Nat traversal, Nat traversal configuration, 7 nat traversal – ZyXEL Communications P-334W User Manual

Prestige 334W User’s Guide

16-6

VPN

Screens

If the Prestige has its maximum number of simultaneous IPSec tunnels connected to it and they all have
keep alive enabled, then no other tunnels can take a turn connecting to the Prestige because the Prestige
never drops the tunnels that are already connected.

When there is outbound traffic with no inbound traffic, the Prestige automatically

drops the tunnel after two minutes.

16.7 NAT Traversal

NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A
and B.

Figure 16-3 NAT Router Between IPSec Routers

Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because
the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an
IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet’s header so it does
not match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and
the VPN connection cannot be built.

NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router
forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port
500 header and responds. IPSec routers A and B build a VPN connection.

16.7.1 NAT Traversal Configuration

For NAT traversal to work you must: