Documentation clarification regarding NAT-T on 5.3

For non IPsec experts documentation is not clear regarding :

  • NAT-Traversal in “IPsec VPN” settings (page 69)
  • IPsec NAT-T in “Service Passthrough” (page 141)

Regarding the first one you write page 69: The NAT-Traversal option should be enabled if your system is behind a NAT router. I think you mean “remote peer system” ? Do you suppose (regarding the location of this setting) that peplink will be one of the peer ? Could you clarify ?

Regarding the other option page 141, you write:

  • This field is for enabling the support of IPsec NAT-T Passthrough. UDP ports 500, 4500 and 10000 are monitored by default.
  • You may add more custom data ports that your IPsec system uses by checking the box Define custom ports. If the VPN contains IPsec Site-to-Site VPN traffic, you have to check the box Route IPsec Site-to-Site VPN and choose the WAN connection to route the traffic to.
  • If you have IPsec Site-to-Site VPN traffic routed, check the Route IPsec Site-to-Site VPN option and select a WAN to force routing such traffic to the specified WAN.

Should this box be checked when you set a simple “IPsec VPN” in the peplink (Balance 20 or 30), the other peer being external ? Is Site-to-Site only define peplink “Site-to-Site VPN” or all kind of site-to-site IPsec traffic ?

I answer to myself as I may understand better few things. But because my brain is not brand new I hope I won’t say to much sillies.

Supposing a Linux kind of OS is under peplink Balance, it may use StrongSwan or OpenSwan for IPsec. So reading documentation of those help. There are to protocole for tunnel creation IKEv1 and IKEv2. As far as I understand IKEv2 is NAT aware. It means, if your tunnel must cross routers that are doing NAT, it should be able to deal with it. IKEv1 is not, but you can use a kind of extension called NAT-T to make it cross routers performing NAT. Of course, it implies both side of the tunnel are NAT-T capable. So, on page 69, activating NAT-T is the same than switching on this extension for your IKEv1 tunnel creation.

On page 141, it’s more a way to tell your router to leave IPsec tunnels using NAT-T cross the router. But for me it’s still not clear if it needs to be enable or not if the router is performing itself IPsec tunnels. I would think no, but I’m not sure. If anybobdy knows, please tells us.