what attention should be paid to when configure firewall IPSec between IPSec tunnel two ends with intermediate NAT device?
When the IP tunnel of one IPSEC tunnel end make NAT transition, at this time need according to the following principle to configure:
1, configure IPSec NAT traversal: mainly to solve the problem that intermediate NAT device does not support to do NAT translation to ESP message. After configure NAT traversal, the encrypted message don't use ESP protocol encapsulation, but use UDP protocol (use 500/4500 port), thus guarantee intermediate NAT device to make correct NAT transition for these encrypted message. When configuration NAT traversal, both two ends must, at the same time, configure NAT traversal command (NAT traversal). Other configuration follow the following principles:
1.1, both sides use the un-template mode to configure:
Must be aggressive mode and name authentication mode.
1.2, the configuration that one end is template mode, the other end is um-template mode:
When NAT device make NAT translation to the un-template end IP, can configure to aggressive mode and name authentication mode, also can configure to aggressive mode and IP authentication mode, but requires template end can't configure remote - address.
Other conditions must configure as aggressive mode and name authentication mode
2, do not configure IPSec NAT traversal: if intermediate NAT device is to be NAT Server device (make NAT transition to the peer end private network address), and the NAT device support NAT transition of ESP message. In this case can do not configure NAT traversal, but need in our device configure the following command: remote - address authentication - address X.X.X.X, to specify the intranet address before the peer end make NAT transition.
1, remote - address authentication- address command need support by firewall software version, before use this command please consult and confirm whether the current software version is support.
2, C company NAT device support NAT transition of ESP message, we have checked that.