Implementing NAT within an IPSec VPN can require some adjustments. By definition, NAT changes an IP packet's address information. The packet will then fail its data integrity check under the AH protocol, which requires that every bit in the datagram remain unchanged. When using NAT within a tunnel created using BOVPN with Manual IPSec, you must make sure you specify ESP as an authentication method instead of AH. (With all other types of IPSec tunnels, ESP is always used as the authentication method.)
To use NAT within VPNs, use IPSec and PPTP passthrough as described in Making Outbound IPSec Connections From Behind a Firebox and Making Outbound PPTP Connections From Behind a Firebox.
Related topics:
Selecting an Authentication Method
Selecting an Encryption and Data Integrity Method
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use