NAT Traversal and IPsec
In order for IPsec to work through a NAT, the following protocols need to be allowed through the NAT interface(s), e.g. the LAN router:
- Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
- Encapsulating Security Payload (ESP) - IP protocol number 50
- Authentication Header (AH) - IP protocol number 51
or, in case of NAT-T:
- IKE - UDP port 500
- IPsec NAT-T - UDP port 4500
Often this is accomplished on home routers by enabling "IPsec Passthrough".
In Windows XP, NAT-T is enabled by default, but in XP with SP2, has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.
Read more about this topic: NAT Traversal
Famous quotes containing the word nat:
“Jesu Crist us sende
Housbondes meke, yonge, and fresshe abedde,
And grace t’overbyde hem that we wedde.
And eek I preye Jesu shorte hir lyves
That wol nat be governed by hir wyves;
And olde and angry nigardes of dispence,
God sende hem sone verray pestilence.”
—Geoffrey Chaucer (1340?–1400)