Vpn and network address translation (nat), Om a, Private subnet – equinux VPN Tracker 6.4.6 User Manual

VPN and Network Address

Translation (NAT)

VPN Tracker provides sophisticated tools to handle VPN

connections through routers that perform Network Address

Translation (NAT). This chapter explains in detail what

Network Address Translation is, the different NAT-Traversal

methods available, and how VPN Tracker assists you to make

NAT-Traversal as seamless as possible.

Private IP Addresses

In the early years of the Internet, each computer had a worldwide unique IP
address. When it became clear that the Internet was growing rapidly and
would soon run out of IP addresses, certain blocks of IP addresses were re-
served for use on private networks. These private IP addresses can be used
over and over again in different private networks, they do not have to be
unique worldwide.

The following IP address ranges are reserved for private use:

First IP Address

Last IP Address

Number of IP Addresses

192.168.0.0

192.168.255.255

65.536

10.0.0.0

10.255.255.255

16.777.216

172.16.0.0

172.31.255.255

1.048.576

Network Address Translation (NAT)

When a computer with a private IP address accesses the Internet, it sends the
request through its local router. The local router cannot simply forward the
request to the Internet: The sender’s private IP address is not unique outside
its particular private network, in fact there can be millions of computers on
the Internet worldwide that have the same private IP address at any given

moment! Instead, it makes a few changes to the sender’s information in the
request:

‣ It replaces the private IP address of the sender with its own public IP ad-

dress.

‣ If necessary, it changes the outgoing network port number so no other

computer communicating with the recipient of the request uses the same
network port (it also remembers which port was used by which computer
on its private network).

It then forwards the request to the Internet.

When responses come back, the process needs to be reversed The response
will come back on the same network port the request was sent out. The router
can therefore easily look up which computer sent the original request.

‣ The router replaces the recipient of the response with the private IP ad-

dress of the computer who sent the original request.

‣ If it had to change the network port, the router puts back the original net-

work port.

It then forwards the response to its private network.

The entire process is called Network Address Translation (NAT). If you have a
DSL or wireless router (e.g. an AirPort Base Station) at home, it is very likely
performing Network Address Translation. In most offices, hotels, and Internet
cafes you will be connecting to a private network that has a NAT router for
accessing the Internet.

NAT-Traversal

Network Address Translation can be a problem for VPN connections: For the
actual communication across the VPN, a network protocol called ESP is used.
Unless the TCP and UDP network protocols you may be familiar with, ESP
works independent of network ports. Since NAT depends on being able to use
network ports to identify the recipient of an incoming response, it cannot
work with ESP.

Several methods to deal with this have been developed. To use one of these
methods, it must be supported by both the router performing NAT and the
VPN gateway.

67