§Two modes of UDP Encapsulation are available:
oAutomatic mode in which UDP encapsulation is
performed only when the Secure Remote client is behind a dynamic Network Address Translation device configured for Hide mode. In other cases, IPSec packets are transmitted in the standard manner. The server determines how to transmit IPSec packets according to value of the source port in IKE packets.
oForced mode in which the client can work only in UDP
Encapsulation Mode. Communication is enabled only if the gateway supports UDP encapsulation and always uses UDP Encapsulation Mode. Forced mode should be used if the client is behind devices which drop or damage IPSec packets but do not modify IKE packets.
ØAT&T Client VPN
§AT&T Global Networks, (formerly IBM Global Networks),has used IPSec Header Authentication, and thus would not work through a NAT device.
§The new version of the AT&T Client VPN software (which they call the "dialer" with Bluemoon Tunneling) now supports IPSec Data Authentication without IPSec Header Authentication, and it now works through routers.
§However, in order to make this work, you need to put the following two undocumented statements in the "custom.ini" file which is located in the same directory as the rest of the VPN client software (typically c:\program files\AT&T Global Network\).
§The version of the AT&T client software must be 4.25.2 or higher (which was released on Sept 6, 2000).
§In custom.ini put:
o[BlueMoon]
oAllowNatThroughFireWall=True