Are IP NAT Traversal and VPN Passthrough the same thing? Great question. Both aim to solve the same problem (IPsec...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
vs. NAT), but these are really different solutions.
Most outbound "NATs" actually translate both IP addresses and ports to let many users share a public single IP address. Many VPN users run into trouble sending IPsec through a NAT-ing device like a firewall because (a) NAT changes IP and TCP/UDP headers carried inside packets, invalidating IPsec's integrity check, and (b) the TCP/UDP header in an IPsec ESP packet is encrypted, preventing NAT from mapping ports.
VPN Passthroughs usually fix (b) by NAT-ing encrypted packets without mapping ports inside the TCP/IP payload. An IPsec VPN Passthrough translates an IPsec ESP packet's source IP to the firewall's external interface while ignoring encrypted payload. A PPTP VPN Passthrough NATs PPTP GRE packets in a similar fashion. Some Passthroughs are limited to one VPN tunnel at a time; other implementations use fields like IPsec SPI to multiplex several tunnels through one NAT-ing device. VPN Passthrough isn't a standard and behavior varies by product.
NAT Traversal refers to a series of IETF Internet Drafts that fix (a) by wrapping encrypted IPsec packets inside a cleartext UDP wrapper. Any NAT-ing device can translate both the source IP address and source UDP port of the cleartext wrapper without changing any part of the encrypted IPsec packet carried inside. The challenge is that both ends of the IPsec tunnel must support the same version of NAT Traversal, be able to detect when to use NAT Traversal, keep the NAT mapping alive for the lifetime of the tunnel, etc. Many VPN vendors implement NAT Traversal drafts, and NAT Traversal works well today in single-vendor VPNs. Multi-vendor VPN NAT Traversal should improve when everyone aligns with the final IETF standard.
Dig Deeper on Network Access Control
Related Q&A from Lisa Phifer
Need to send an email, check your flight's status or get ready for a presentation? You can do it all on your smartwatch, thanks to a slew of Apple ...continue reading
New and improved management features have made Android devices more suitable for enterprise use, and API and EMM tools can streamline the device ...continue reading
Whether you need a basic open source mobile device management tool for your company's Apple or Android devices, or something more customized, you ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.