Roaming from behind nat to no nat, Roaming from no nat to behind nat – Panasonic 7 User Manual

Chapter 8 Configuring IPSec mobility and persistent mode 151

Roaming from behind NAT to no NAT

In Figure 31 before roaming a client was connected via API and NAT box and had
IP1 IP address. After roaming, the client is connected via AP2 without NAT, UDP
encapsulation will be used.

Figure 31

Roaming from behind NAT to no NAT

Roaming from no NAT to behind NAT

Before roaming, the client had access via AP2 and after roaming via API and
NAT box, a situation that’s the reverse of the one in Figure 31. In this case, the
IPSec connection will be dropped as NAT detection is made in IKE phase 1 and
NAT traversal is negotiated in quick mode; therefore with the tunnel already
negotiated and established, the change cannot take place unless re-negotiation
occurs.

Similar problems may arise when roaming from behind IPSec aware NAT devices

to behind other NAT devices. To avoid any NAT related problems, the “Always

UDP Encap” option under the IPSec group configuration always forces UDP
wrapping on IPSec user tunnels even if NAT was not detected during connection
establishment.

Nortel VPN Router Configuration — Basic Features