Background: nat-t and policies, Internet, Hotel headquarters – Allied Telesis AlliedWare AR440S User Manual

Page 4 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

Background: NAT-T and policies

NAT-T

NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows
IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur
with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site
that is behind a NAT gateway.

NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT
gateway, such as some ADSL devices. Note that AR44xS series routers provide an ADSL
interface, which removes the need for a separate ADSL device. Therefore, the examples in
this How To Note do not include NAT-T for the site-to-site VPNs.

The following figure shows how the addresses in the IPsec headers change as a packet from a
roaming client traverses NAT gateways in the VPN pathway. The figure illustrates IPsec
transport mode with L2TP.

NAT gateway

Dest Addr

IP

PPP

L2TP

IPsec

IP

ETH

Source Addr

192.168.143.1

N/A

N/A

N/A

192.168.200.1

192.168.140.27

N/A

N/A

N/A

200.200.200.1

N/A

N/A

Encrypted

192.168.200.1

roaming VPN

client

192.168.200.254

211.211.211.1

hotel

Dest Addr

IP

PPP

L2TP

IPsec

IP

ETH

Source Addr

192.168.143.1

N/A

N/A

N/A

211.211.211.1

192.168.140.27

N/A

N/A

N/A

200.200.200.1

N/A

N/A

Encrypted

Internet

headquarters

VPN access

concentrator

Dest Addr

IP

ETH

Source Addr

192.168.143.1

N/A

192.168.140.27

N/A

200.200.200.1

192.168.140.254

192.168.140.27

hotel

headquarters

vpn-nat-t.eps