ZyXEL ADSL Prestige 662HW-61 130122.0662HW61 Manual Do Utilizador
Códigos do produto
130122.0662HW61
Prestige 662H/HW Series User’s Guide
223
Chapter 19 VPN Screens
Figure 95 NAT Router Between IPSec Routers
Normally you cannot set up a VPN connection with a NAT router between the two IPSec
routers because the NAT router changes the header of the IPSec packet. In the previous figure,
IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes
the IPSec packet’s header so it does not match the header for which IPSec router B is
checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.
routers because the NAT router changes the header of the IPSec packet. In the previous figure,
IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes
the IPSec packet’s header so it does not match the header for which IPSec router B is
checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The
NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router
B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN
connection.
NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router
B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN
connection.
19.7.1 NAT Traversal Configuration
For NAT traversal to work you must:
• Use ESP security protocol (in either transport or tunnel mode).
• Use IKE keying mode.
• Enable NAT traversal on both IPSec endpoints.
• Use IKE keying mode.
• Enable NAT traversal on both IPSec endpoints.
In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec
router B, set the NAT router to forward UDP port 500 to IPSec router A.
router B, set the NAT router to forward UDP port 500 to IPSec router A.
19.7.2 Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network
that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the
LAN or from the ISP since these DNS servers cannot resolve domain names to private IP
addresses on the remote network
The following figure depicts an example where three VPN tunnels are created from Prestige
A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access
computers that use private domain names on the headquarters (HQ) network, the Prestige at
branch office 1 uses the Intranet DNS server in headquarters. The DNS server feature for VPN
does not work with Windows 2000 or Windows XP.
A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access
computers that use private domain names on the headquarters (HQ) network, the Prestige at
branch office 1 uses the Intranet DNS server in headquarters. The DNS server feature for VPN
does not work with Windows 2000 or Windows XP.