I have NAT Traversal enabled on my firewall-A for dialup to LAN VPN. In front of the VPN client, the firewall-B has IPsec Passthrough enabled. I've read many documents that state that NAT Traversal and IPsec Passthrough together don't work, so I've disabled the IPsec Passthrough in firewall-B to make the tunnel work. But my client needs a solid reason for disabling the IPsec Passthrough feature as he is not convinced by it. Could you explain this to me?
NAT Traversal and IPsec Passthrough are two different solutions to tunneling encrypted packets through an NAT-ing device like a firewall. You should not need to disable IPsec Passthrough to use NAT Traversal; in general, they should have no impact on each other.
VPN Passthrough deals with the fact that encrypted IPsec (ESP) or PPTP (GRE) packets don't carry cleartext source and destination ports like unencrypted TCP/UDP packets do. Many-to-one outbound NAT translates both IP address and port number, letting many sessions share the same public IP address. A VPN client can usually establish an IPsec or PPTP tunnel because control traffic is sent using standard UDP or TCP packets that are NAT'ed without difficulty.
However, once the tunnel is up, the NAT-ing device doesn't know what to do with incoming ESP or GRE packets, or how to port-translate outgoing ESP or GRE packets. Turning on VPN Passthrough instructs the NAT to "pass through" outbound ESP or GRE without trying to translate a port number, and to correlate incoming ESP or GRE packets to the VPN client they belong to without using a port number. How Passthrough works depends on the product, particularly with respect to correlating more than one tunnel.
NAT Traversal takes a different approach. Instead of requiring the NAT-ing device to do something unusual, NAT Traversal makes the IPsec ESP traffic look like any other UDP traffic. NAT Traversal requires cooperation on both endpoints of the tunnel: the VPN client and the VPN gateway. During IPsec tunnel establishment, those endpoints detect the presence of a NAT-ing device between them and agree to use a particular version of NAT Traversal. After the tunnel is up, the sender takes every ESP packet and wraps it inside a UDP header before sending it. The NAT-ing device receives and forwards the UDP-encapsulated ESP packet in the usual way, translating both the IP address and cleartext UDP port. The receiver strips off the UDP header, then processes the ESP packet.
Why would VPN Passthrough and NAT Traversal interfere with each other? A VPN client and gateway using NAT Traversal encapsulates ESP or GRE inside a UDP header, so the NAT-ing device never receives any ESP or GRE packets to "pass through." If you run into a conflict between the two, it may be the way a particular NAT-ing device's Passthrough implementation handles VPN control traffic or a firewall rule that filters packets sent on the UDP port used by NAT-Traversal.
This question was asked at Ask the Experts on SearchNetworking.com.
About the expert:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in leading-edge network technology. She has been involved in the design, implementation and evaluation of networking and security products for over 25 years. Before joining Core Competence, Phifer was a member of the technical staff at Bell Communications Research, where she won a president's award for her work on ATM network management. Phifer teaches about wireless LANs, mobile security, NAC, and VPNs at many industry conferences and webinars. She has written extensively about network infrastructure and security technologies for numerous publications.
This was first published in February 2009