No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DSVPN NAT Traversal

DSVPN NAT Traversal

In Figure 3-7, when private networks of Spokes connect to the Hub through Network Address Translation (NAT), NAT traversal must be implemented to establish VPN tunnels between the Hub and Spokes, and between Spokes. DSVPN NAT traversal can be deployed so that Spokes can directly communicate across the NAT device.

Figure 3-7  DSVPN NAT traversal

DSVPN NAT traversal is implemented by encapsulating original and translated addresses of Spokes in NAT extension fields of NHRP Registration Reply packets and NHRP Resolution Request or Reply packets. The implementation is as follows:

  1. The Spokes send NHRP Registration Request packets to the Hub. The NHRP Registration Request packets carry public or private network addresses of the Spokes.
  2. NHRP on the Hub detects whether a NAT device exists between the Hub and Spokes. If the NAT device exists, the Hub encapsulates translated public addresses of Spokes in NAT extension fields of NHRP Registration Reply packets and sends the packets to the Spokes.
  3. The source Spoke sends an NHRP Resolution Request packet to the destination Spoke. The packet carries the original address and translated public address in NAT extension fields of the source Spoke.
  4. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke. The packet carries the original address and translated public address in NAT extension fields of the destination Spoke.
  5. The source and destination Spokes learn the original address and translated public network address of each other and establish an mGRE tunnel based on the translated public address. By doing this, Spokes can directly communicate across the NAT device.
NOTE:
  • NAT traversal cannot be implemented on a DSVPN network if two Spokes use the same NAT device and their original addresses are translated to the same public network address.
  • NAT traversal cannot be implemented if two Spokes are behind different NAT devices, and Port Address Translation (PAT) is enabled on the NAT device.
  • When branches need to communicate with each other, the NAT device must be configured with an NAT server or static NAT. NAT traversal cannot be implemented if outbound NAT is configured on the NAT device.
  • When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport if two branches are connected to different NAT devices or the headquarters is connected to a NAT device.
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31327

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next