No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


IPSec VPN cannot be established when E200E configure NAT

Publication Date:  2013-03-18 Views:  85 Downloads:  0
Issue Description
custome uses Nortel vpn client to dial IPSec, but everytime get the error
Alarm Information
IPSec vpn client cannot reach vpn server
Handling Process
Enbale IPSec NAT traversal option on both vpn client and server, and the IPSec vpn can establish correctly.
Root Cause
1.the network topology is as follow, HW firewall is a NAT device between IPSec vpn client and srver:

2.From the capture file, IPSec ESP packets were not sent to other side because the packets didn’t carry NAT-T option. This shows that VPN client and server don’t enable IPSec NAT traversal function.
The packet doesn’t carry NAT-T option:

3. According to the RFC3947, when there is a NAT device between IPSec VPN ends, both client and server must support and enable IPSec NAT traversal,
After that, ESP packets will be encapsulated by UDP (4500 ports) and NAT by firewall correctly. Otherwise, ESP packets cannot be NAT directly.
When there is a NAT device between IPSec vpn client and server, both IPSec ends must support and enable IPSec NAT traversal.