Cisco Systems RV042RF manual Appendix D IPSec NAT Traversal, Configuration of Scenario

Page 74

Appendix D

Appendix D:

IPSec NAT Traversal

Overview

Network Address Translation (NAT) traversal is a technique developed so that data protected by IPSec can pass through a NAT. (See NAT 1 and NAT 2 in the diagram.) Since IPSec provides integrity for the entire IP datagram, any changes to the IP addressing will invalidate the data. To resolve this issue, NAT traversal appends a new IP and UDP header to the incoming datagram, ensuring that no changes are made to the incoming datagram stream.

This chapter discusses two scenarios. In the first scenario, Router A initiates IKE negotiation, while in the second scenario, Router B initiates IKE negotiation. In the second scenario, since the IKE responder is behind a NAT device, a one-to-one NAT rule is required on the NAT device.

Before You Begin

The following is a list of equipment you need:

•• Two 4-Port SSL/IPSec VPN Routers (model number:

RVL200), one of which is connected to the Internet

•• Two 10/100 4-Port VPN Routers (model number: RV042), one of which is connected to the Internet

IPSec NAT Traversal

Configuration of Scenario 1

In this scenario, Router A is the RVL200 Initiator, while Router B is the RVL200 Responder.

WAN: 192.168.99.11	WAN: 192.168.99.22
NAT 2 - RV042	Router B - RVL200
LAN: 192.168.111.1	Responder
	LAN: 192.168.2.0/24

WAN: 192.168.111.101

NAT 1 - RV042

LAN: 192.168.11.1

192.168.2.100

WAN: 192.168.11.101

Router A - RVL200 Initiator

LAN: 192.168.1.0/24

192.168.1.101

Traffic in Scenario 1

NOTE: Both the IPSec initiator and responder must support the mechanism for detecting the NAT router in the path and changing to a new port, as defined in RFC 3947.

Configuration of Router A

Follow these instructions for Router A.

1.Launch the web browser for a networked computer, designated PC 1.

2.Access the web-based utility of Router A. (Refer to the User Guide of the RVL200 for details.)

3.Click the IPSec VPN tab.

4.Click the Gateway to Gateway tab.

5.Enter a name in the Tunnel Name field.

6.For the VPN Tunnel setting, select Enable.

10/100 4-Port VPN Router

67

Image 74

Contents 10/100 4-Port VPN Router Icon Descriptions About This GuideAbout This Guide Online ResourcesTable of Contents Ddns Appendix a Troubleshooting Appendix B Linksys QuickVPN for Windows 2000, XP, or VistaAppendix G Trend Micro ProtectLink Gateway Service Appendix F Firmware UpgradeAppendix H Specifications Appendix D IPSec NAT TraversalAppendix L Contact Information Appendix I Warranty InformationAppendix K Regulatory Information Introduction ChapterChapter Introduction Computer using VPN client software to VPN Router Chapter Product Overview Product OverviewPhysical Installation Chapter InstallationInstallation Cable ConnectionsInstallation How to Access the Web-Based Utility Chapter Advanced ConfigurationAdvanced Configuration OverviewPort Statistics ConfigurationSystem Information Trend Micro ProtectLink GatewayVPN Setting Status Network Setting StatusFirewall Setting Status Log Setting StatusNetwork Setup Tab NetworkLAN Setting Dual-WAN/DMZ Setting WAN Connection TypePPPoE Point-to-Point Protocol over Ethernet Pptp Point-to-Point Tunneling ProtocolSetup Password Heart Beat SignalPassword Setup TimeSetup DMZ Host TimePort Range Forwarding Setup Tab ForwardingForwarding Port TriggeringSetup UPnP UPnPOne-to-One NAT Setup One-to-One NATSetup MAC Clone Add RangeWAN1/2 Setup DdnsMAC Clone DynDNS.orgDynamic Routing Setup Advanced RoutingAdvanced Routing Oray.net PeanutHull DdnsDhcp Setup Static RoutingStatic IP SetupDynamic IP Status Smart Link BackupDhcp Status Dual-WANNetwork Service Detection Load BalanceProtocol Binding System Management Bandwidth ManagementBandwidth WAN1/2 Bandwidth Management Type Bandwidth ManagementMaximum Bandwidth provided by ISP Rate ControlSystem Management Snmp PriorityDNS Name Lookup System Management DiagnosticDiagnostic PingSystem Management Restart Factory DefaultFirmware Upgrade Firmware DownloadExport Configuration File Port Management Port SetupImport Configuration File Basic Per Port ConfigPort Status Port Management Port StatusFirewall General GeneralFirewall Access Rules Restrict WEB FeaturesServices Access RulesAdd a New Access Rule Firewall Content Filter SchedulingVPN Summary Content FilterProtectLink SummaryClient to Gateway GroupVPN StatusGateway to Gateway Add a New Tunnel Local Group SetupVPN Gateway to Gateway VPN Clients StatusLocal Security Group Type Remote Group Setup Remote Security Gateway TypeRemote Security Group Type IPSec SetupIKE with Preshared Key Keying Mode Manual VPN Client to Gateway AdvancedTunnel Tunnel No The tunnel number is automatically generatedRemote Client Setup Remote ClientGroup VPN Default is Domain NameFQDN Keying Mode Manual Tunnel Only VPN VPN Client Access VPN Client Users VPN Client AccessVPN VPN Pass Through Certificate ManagementVPN Pass Through VPN Pptp ServerLog System Log Pptp ServerSyslog Log SettingSystem Log MailLog System Statistics Basic Setup WizardObtain an IP automatically PPPoE MinutesAccess Rule Setup Select the Log Rule Manual SupportLogout Linksys Web SiteAppendix a Appendix a TroubleshootingTroubleshooting Linksys QuickVPN for Appendix BAppendix B Windows 2000, XP, or VistaClick the VPN Client Access tab Linksys QuickVPN Client Installation and ConfigurationInstall from the CD-ROM Click Add to list Click Save SettingsDownload from the Internet Install the Client CertificateClick Business Click Router/VPN Solutions Linksys QuickVPN ConnectionConfirm New Password Re-enter your new password Version Number of Linksys QuickVPNAppendix C Gateway-to-Gateway VPN Tunnel Configuration of the RVL200Appendix C Before You BeginConfiguration of the RV042 Configuration of PC 1 and PCRV042 RVL200 Dynamic IP B.B.B.B with Configuration when Both Gateways Use Dynamic IP Addresses Appendix C Appendix D Configuration of ScenarioConfiguration of Router a Appendix D IPSec NAT TraversalConfiguration of Router B IPSec NAT TraversalClick the One-to-One NAT tab One-to-One NAT Rule on NAT 2 RV042One-to-One NAT Rule on NAT 1 RV042 Configuration of Router a Appendix D Appendix E Bandwidth Management Creation of New ServicesAppendix E Bandwidth ManagementCreation of New Bandwidth Management Rules Upgrade the Firmware Appendix F Firmware UpgradeFirmware Upgrade Alternative Firmware Upgrade OptionFirmware Upgrade Appendix G Appendix G Trend Micro ProtectLink Gateway ServiceHow to Purchase, Register, or Activate the Service System SummaryHow to Use the Service ProtectLinkProtectLink Web Protection Web ProtectionEmail Protection ProtectLink Email ProtectionProtectLink License LicenseAppendix G Appendix H Appendix H SpecificationsSpecifications Appendix Warranty InformationObtaining Warranty Service Exclusions and LimitationsWarranty Information Technical SupportSoftware in Linksys Products Appendix JAppendix J Software License Agreement Software LicensesSchedule Software License AgreementPreamble Appendix J END of Terms and Conditions OpenSSL License Original SSLeay LicenseAppendix J Appendix K Regulatory InformationDansk Danish Miljøinformation for kunder i EU Appendix K Norsk Norwegian Miljøinformasjon for kunder i EU Appendix K Appendix L Contact Information