What Precautions Shall Be Taken for Configuring IPSec When an IPSec Tunnel Spans over NAT Devices?
When the intermediate device over the IPSec tunnel performs NAT for the tunnel IP address carried over packets sent by the device at one end of the tunnel, perform configurations based on the following principles:
Configuring IPSec NAT traversal: This configuration ensure that the NAT device does not perform NAT for ESP packets. After IPSec NAT traversal is enabled, encrypted packets are encapsulated through UDP (on port 4500), but not ESP. In this way, the intermediate NAT device can correctly perform NAT for these encrypted packets. To configure NAT traversal, you must run the nat traversal command at both ends. Perform other configurations based on the following principles:
− Applying the non-template mode to both ends: You are advised to use the aggressive mode and name authentication. (If IP authentication is used, run the remote-address authentication-addressip-address command on the USG to specify the internal IP address before NAT is performed at the peer end.)
− Applying the template mode to one end and non-template mode to the other end: When the intermediate NAT device performs NAT for packets sent from the end that uses non-template mode, configure either name authentication or IP address authentication. However, do not run the remote-address command in the template.
Not configuring IPSec NAT: Do not configure IPSec NAT when the intermediate NAT server serves as a NAT Server (translating the peer private IP address) and supports NAT over ESP packets. In this case, you need to only run the remote-address authentication-addressip-address command on the local end to specify the internal IP address before NAT is performed at the peer end.