Allied Telesis AR440S Background: NAT-T and policies

Page 4 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

Background: NAT-T and policies

NAT-T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows

IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur

with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site

that is behind a NAT gateway.

NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT

gateway, such as some ADSL devices. Note that AR44xS series routers provide an ADSL

interface, which removes the need for a separate ADSL device. Therefore, the examples in

this How To Note do not include NAT-T for the site-to-site VPNs.

The following figure shows how the addresses in the IPsec headers change as a packet from a

roaming client traverses NAT gateways in the VPN pathway. The figure illustrates IPsec

transport mode with L2TP.

NAT gateway

Dest Addr

IP

PPP

L2TP

IPsec

IP

ETH

Source Addr

192.168.143.1

N/A

N/A

N/A

192.168.200.1

192.168.140.27

N/A

N/A

N/A

200.200.200.1

N/A N/A

Encrypted

192.168.200.1

roaming VPN

client

192.168.200.254

211.211.211.1

hotel

Dest Addr

IP

PPP

L2TP

IPsec

IP

ETH

Source Addr

192.168.143.1

N/A

N/A

N/A

211.211.211.1

192.168.140.27

N/A

N/A

N/A

200.200.200.1

N/A N/A

Encrypted

Internet

headquarters

VPN access

concentrator

Dest Addr

IP

ETH

Source Addr

192.168.143.1

N/A

192.168.140.27

N/A

200.200.200.1

192.168.140.254

192.168.140.27

hotel

headquarters

vpn-nat-t.eps

Contents

Main AlliedWareTM OS How To | Introduction Contents Configure VPNs in a Corporate Network, with Optional Prioritisation of VoIP Which products and software versions does this information apply to? Related How To Notes About IPsec modes: tunnel and transport Page 4 | AlliedWare OS How To Note: VPNs for Corporate Networks Background: NAT-T and policies hotel Internet headquarters hotel Page How to configure VPNs in typical corporate networks Before you start How to configure the headquarters VPN access concentrator 2. Configure IP for internet access 3. Configure remote management access, if desired 4. Capture status information remotely, if desired 5. Configure dynamic PPP over L2TP connections 6. Check feature licences 7. Configure the VPNs for the branch offices and roaming clients Page 8. Configure the firewalls basic settings 9. Configure the firewalls access rules 10. Save your configuration How to configure the AR440S router at branch office 2. Configure ADSL for internet access 3. Configure PPP for PPPoA 4. Configure IP 5. Configure remote management access, if desired 6. Capture status information remotely, if desired 7. Configure dynamic PPP over L2TP connections 8. Check feature licences 9. Configure the VPNs for connecting to headquarters and roaming clients Page 10. Configure the firewalls basic settings 11. Configure the firewalls access rules 12. Save your configuration How to configure the AR440S router at branch office 2 2. Configure ADSL for internet access 3. Configure PPP for PPPoE 4. Configure IP 5. Configure remote management access, if desired 6. Capture status information remotely, if desired 7. Check feature licences 8. Configure the VPNs for connecting to the headquarters office 9. Configure the firewalls basic settings 10. Configure the firewalls access rules 11. Save your configuration How to make voice traffic high priority How to prioritise outgoing VoIP traffic from the headquarters router 4. For site-to-site VPNs, apply the SQoS policy to the tunnels 5. For roaming clients, use triggers to apply SQoS to dynamic interfaces 7. Save your configuration 6. For roaming clients, set L2TP TOS reflection How to prioritise outgoing VoIP traffic from the branch office router 4. For the site-to-site VPN, apply the SQoS policy to the tunnel 5. For roaming clients, use triggers to apply SQoS to dynamic interfaces 6. For roaming clients, set L2TP TOS reflection 7. Save your configuration How to prioritise outgoing VoIP traffic from the branch office 2 router 4. Apply the SQoS policy to the tunnel 5. Save your configuration How to test your VPN solution Configuration scripts for headquarters and branch offices Before you use these scripts Headquarters VPN access concentrator's configuration Page Page Page Page Branch office AR440S configurationthe PPPoA site with VPN client access and a fixed IP address Page Page Page Page Branch office 2 AR440S configurationthe PPPoEoA site with a dynamically assigned IP address Page Page Page Extra configuration scripts for lab testing the VPN solution ISP's PPPoE access concentrator configuration Hotel's NAT gateway firewall configuration