Cisco Systems RVL200 manual Appendix J IPSec NAT Traversal, Configuration of Scenario

Page 95

Appendix J

Appendix J:

IPSec NAT Traversal

Overview

Network Address Translation (NAT) traversal is a technique developed so that data protected by IPSec can pass through a NAT. (See NAT 1 and NAT 2 in the diagram.) Since IPSec provides integrity for the entire IP datagram, any changes to the IP addressing will invalidate the data. To resolve this issue, NAT traversal appends a new IP and UDP header to the incoming datagram, ensuring that no changes are made to the incoming datagram stream.

This chapter discusses two scenarios. In the first scenario, traffic is sent in one direction, through Router A, NAT 1, NAT 2, and Router B. In the second scenario, traffic is sent in the opposite direction, and a one-to-one NAT rule is required.

Before You Begin

The following is a list of equipment you need:

•Two 4-Port SSL/IPSec VPN Routers (model number: RVL200), one of which is connected to the Internet

•Two 10/100 4-Port VPN Routers (model number: RV042), one of which is connected to the Internet

IPSec NAT Traversal

Configuration of Scenario 1

In this scenario, Router A is the RVL200 Initiator, while Router B is the RVL200 Responder.

WAN: 192.168.99.11	WAN: 192.168.99.22
NAT 2 - RV042	Router B - RVL200
LAN: 192.168.111.1	Responder
	LAN: 192.168.2.0/24

WAN: 192.168.111.101

NAT 1 - RV042

LAN: 192.168.11.1

192.168.2.100

WAN: 192.168.11.101

Router A - RVL200 Initiator

LAN: 192.168.1.0/24

192.168.1.101

Traffic in Scenario 1

NOTE: Both the IPSec initiator and responder must support the mechanism for detecting the NAT router in the path and changing to a new port, as defined in RFC 3947.

Configuration of Router A

Follow these instructions for Router A.

1.Launch the web browser for a networked computer, designated PC 1.

2.Access the web-based utility of Router A. (Refer to “Chapter 4: Advanced Configuration” for details.)

3.Click the IPSec VPN tab.

4.Click the Gateway to Gateway tab.

5.Enter a name in the Tunnel Name field.

6.For the VPN Tunnel setting, select Enable.

4-Port SSL/IPSec VPN Router

87

Image 95

Contents Port SSL/IPSec VPN Router About This Guide About This GuideTable of Contents Ddns IPSec VPN Gateway to Gateway Appendix E User for the Active Directory Server Appendix C Bandwidth ManagementAppendix D Active Directory Server Appendix L Multiple VLANs with Computers Appendix I Gateway-to-Gateway VPN TunnelAppendix J IPSec NAT Traversal Appendix M Multiple VLANs and Subnets Appendix O Firmware UpgradeAppendix P Battery Replacement Appendix Q SpecificationsIntroduction to the Router ChapterChapter Introduction IntroductionComputer using SSL VPN client software to VPN Router Back Panel Chapter Product OverviewProduct Overview Front PanelPhysical Installation Chapter InstallationInstallation Cable Connection Before You Begin Chapter Advanced ConfigurationAdvanced Configuration OverviewClick Security Select Use SSL 2.0 and Use SSL How to Access the Web-Based UtilitySystem Information System SummarySSL VPN Setting Status Network Setting StatusFirewall Setting Status IPSec VPN Setting StatusWAN Connection Type Setup Tab NetworkLAN Setting NetworkPPPoE Point-to-Point Protocol over Ethernet Static IPPptp Point-to-Point Tunneling Protocol Setup PasswordTime Setup TimeSetup DMZ Host PasswordPort Triggering Setup Tab ForwardingForwarding Port Range ForwardingUPnP Setup UPnPOne-to-One NAT Setup One-to-One NATSetup MAC Clone Advanced Routing Setup DdnsSetup Advanced Routing MAC CloneStatic Routing Dhcp SetupStatic IP SetupDynamic IP Multiple VLANs Dhcp StatusStatus Dhcp Multiple VLANsInter-VLAN Routing System Management DiagnosticDiagnostic Dhcp Inter-VLAN RoutingFirmware Download Factory DefaultFirmware Upgrade System Management RestartRestart Import Configuration FileExport Configuration File System Management Port MirroringPort Status Port Management Port SetupBasic Per Port Config Port Management Port StatusCreate Vlan Port Management Port SettingPort Setting Port Management Create VlanBandwidth Management QoS Bandwidth ManagementVlan Membership Priority Rate ControlTrust Mode Default CoS QoS QoS SetupQoS Setup QoS ModeCoS Settings QoS Queue SettingsQoS Dscp Settings Queue SettingsDscp to Queue Dscp SettingsFirewall General GeneralRestrict WEB Features Firewall Access RulesAccess Rules Services Add a New Access RuleIP/MAC Group Firewall Content FilterContent Filter SchedulingIP Address IPSec VPN SummaryForbidden Domains Website Blocking by KeywordsAdd a New Tunnel Local Group SetupIPSec VPN Gateway to Gateway SummaryRemote Security Gateway Type Remote Group SetupLocal Security Group Type Remote Security Group Type IKE with Preshared Key IPSec SetupAdvanced VPN Pass Through IPSec VPN VPN Pass ThroughSSL VPN Summary SSL VPN Certificate ManagementEdit Group Authentication TypeSSL VPN User Management User ManagementEdit User SSL VPN Virtual PassageGlobal Parameters Snmp Global ParametersVirtual Passage Group Profile Snmp ViewsSnmp Group Profile ViewsCommunities Snmp Group MembershipSnmp Communities Group MembershipNotification Recipient Snmp Notification RecipientSystem Log Log System LogGeneral Log Log SettingLog System Statistics Alert LogWizard Basic SetupPPPoE Obtain an IP automaticallyAccess Rule Setup Select the Service Linksys Web Site SupportLogout ManualLogout Appendix a Appendix a TroubleshootingTroubleshooting Before You Begin Windows OS Appendix BAppendix B Virtual Passage SSL VPN Client Click Trusted sites Make the SSL VPN Portal a Trusted Site Windows OSLogin for the SSL VPN Portal Windows OS Installation of the Virtual Passage Client Windows OSClick Continue Anyway When you right-click the icon, you have three optionsWindows Vista Usage Installation of the Virtual Passage Client Mac OSLogin for the SSL VPN Portal Mac OS Click Continue Removal of the Virtual Passage Client Mac OSBefore You Begin Linux OS Installation of the Virtual Passage Client Linux OSLogin for the SSL VPN Portal Linux OS Removal of the Virtual Passage Client Linux OS Bandwidth Management Creation of New ServicesAppendix C Appendix C Bandwidth ManagementCreation of New Bandwidth Management Rules Click Save SettingsActive Directory Server Appendix DAppendix D Active Directory Server Select Domain in a new forest, and then click Next Enter a domain name, and then click Next Active Directory Server Troubleshooting Appendix E User for the Active Directory Server Appendix EUser for the Active Directory Server Appendix F Appendix F Internet Authentication Service IAS ServerInternet Authentication Service IAS Server Select Unencrypted authentication. Click Apply Click Finish Welcome to the New Connection Request Policy Wizard Click Edit Profile Click the User Management tab Appendix GLAN-to-LAN Connection Select HTTPSTCP/443~443 from the Service drop- down menuAppendix H Appendix H Deployment in an Existing NetworkWAN-to-LAN Connection Click the Gateway to Gateway tab Configuration of the RVL200Appendix Appendix Gateway-to-Gateway VPN TunnelConfiguration of PC 1 and PC Configuration of the RV082RV082 RVL200 Dynamic IP B.B.B.B with Configuration when Both Gateways Use Dynamic IP Addresses Appendix Appendix J IPSec NAT Traversal Configuration of ScenarioConfiguration of Router a Appendix JIPSec NAT Traversal Configuration of Router BOne-to-One NAT Rule on NAT 1 RV042 One-to-One NAT Rule on NAT 2 RV042Configuration of Router a Appendix K Configuration of MultipleRVL200-to-RV042 Configuration Appendix KClick the Advanced Routing tab RV042 #1 ConfigurationClick Save Setting RV042 #2 Configuration Click the Port Management tab RVL200-to-SRW2048 ConfigurationAppendix L Appendix L Multiple VLANs with ComputersClick Save Settings Click the Vlan Membership tab SRW2048 ConfigurationSelect Enable Vlan Multiple VLANs RVL200 ConfigurationAppendix M Appendix MClick the Inter-VLAN Routing tab Inter-VLAN Routing OptionOver a SSL VPN Tunnel Access of Multiple VLANsAppendix N Appendix NAppendix O Appendix O Firmware UpgradeFirmware Upgrade Click the Firmware Upgrade tab Upgrade the FirmwareAppendix P Appendix P Battery ReplacementBattery Replacement Replace the Lithium BatteryAppendix Q Appendix Q SpecificationsSpecifications Appendix R Warranty InformationLimited Warranty Regulatory Information Appendix SDansk Danish Miljøinformation for kunder i EU Port SSL/IPSec VPN Router 106 Norsk Norwegian Miljøinformasjon for kunder i EU Port SSL/IPSec VPN Router 108 Contact Information Appendix T