Testing for nat-traversal support – equinux VPN Tracker 6.4.6 User Manual

IPSec Passthrough

The simplest method is called IPSec Passthrough. It works with all VPN gate-
ways

1

. NAT routers supporting this method will just send ESP responses back

to the last host who contacted the VPN gateway. Most routers have some limi-
tation on their IPsec Passthrough capability, for example it will often not work
if more than a single host needs to establish a VPN connection (to the same
VPN gateway).

NAT-Traversal (Early Drafts)

NAT-Traversal is the most flexible method. VPN Tracker simply wraps the VPN
communication (ESP) into regular UDP packets (which have port numbers).
The NAT router can then handle these UDP packets like it would do with any
UDP communication. On the other side, the VPN gateway needs to remove
the UDP “wrapper” before it can handle the VPN communication.

For NAT-Traversal to work, it needs to be specifically supported by the VPN
gateway and the local NAT router. The requirement for support from the VPN
gateway is obvious – it has to know that it needs to unwrap the UDP packets
before it sees the regular VPN communication. For the NAT router, it is less
obvious why they would need special support for NAT-Traversal. However,
older or less sophisticated VPN gateways often do not support NAT-Traversal.
They will simply discard UDP packets on this network port. To deal with this
problem, the final NAT-Traversal standard (RFC) changes the network port for
performing NAT-Traversal.

NAT-Traversal (RFC Standard)

The final NAT-Traversal standard (as well as late draft revisions) switch to net-
work port 4500 as soon as NAT-Traversal is performed. This allows even rout-
ers built on the assumption that network port 500 is for ESP only to handle
with NAT-Traversal.

The final NAT-Traversal standard works with most NAT-routers and is also sup-
ported by many recent VPN gateways. However, older or less sophisticated
VPN gateways often do not support NAT-Traversal.

Testing for NAT-Traversal Support

To successfully establish a VPN connection, VPN Tracker needs to know which
methods are supported by the VPN gateway and the local NAT router.

Finding out what the VPN gateway supports is very easy: The VPN gateway
will automatically tell VPN Tracker what it supports when a connection is be-
ing established.

For the NAT router, it's more difficult: Some will list it in their data sheet, for
others, it is only possible to find out by actually testing. Fortunately, you won’t
have to worry about this: VPN Tracker has a test built right in. This test is run
every time VPN Tracker encounters a new NAT router (it's the progress bar you
see before the VPN connection is established). Even though it may take a
short moment, it's very important to run the test! It only needs to run once at
any given location.

What does the test do?

The test connects to a VPN gateway at equinux using all three methods. VPN
Tracker remembers which methods worked, and from then on it will only use
the working methods.

When is the automatic test not sufficient?

The automatic test will work in almost all situations. It will help you to get
hassle-free VPN connectivity at Internet cafes, hotels, airports – basically eve-
rywhere where you have little time and encounter NAT routers that may not
support all NAT-Traversal methods.

There is one specific situations in which the availability test may not give ac-
curate results: Communication to your VPN gateway goes through a different
router than Internet traffic, or is treated differently (firewall rules etc.). Since

68

1 Some devices permit IPsec Passthrough to be turned off. In that case, it will obviously not work.