FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Defining the remaining phase 1 options<br />
Auto Key phase 1 parameters<br />
Defining the remaining phase 1 options<br />
NAT traversal<br />
NAT keepalive frequency<br />
Additional advanced phase 1 settings are available to ensure the smooth<br />
operation of phase 1 negotiations:<br />
• Nat-traversal—If outbound encrypted packets will be subjected to NAT, this<br />
option determines whether the packet will be wrapped in a UDP IP header to<br />
protect the encrypted packet from modification. See “NAT traversal” below.<br />
• Keepalive Frequency—If outbound encrypted packets will be subjected to<br />
NAT, this option determines how frequently empty UDP packets will be sent<br />
through the NAT device to prevent NAT address mapping from changing<br />
before the lifetime of a session expires. See “NAT keepalive frequency” below.<br />
• Dead Peer Detection—This option determines whether the <strong>FortiGate</strong> unit will<br />
detect dead IKE peers and terminate a session between the time when a <strong>VPN</strong><br />
connection be<strong>com</strong>es idle and the phase 1 encryption key expires. See “Dead<br />
peer detection” on page 141.<br />
Network Address Translation (NAT) is a way to convert private IP addresses to<br />
publicly routable Internet addresses and vise versa. When an IP packet passes<br />
through a NAT device, the source or destination address in the IP header is<br />
modified. <strong>FortiGate</strong> units support NAT version 1 (encapsulate on port 500 with<br />
non-IKE marker), version 3 (encapsulate on port 4500 with non-ESP marker), and<br />
<strong>com</strong>patible versions.<br />
NAT cannot be performed on <strong>IPSec</strong> packets in ESP tunnel mode because the<br />
packets do not contain a port number. As a result, the packets cannot be<br />
demultiplexed. To work around this problem, the <strong>FortiGate</strong> unit provides a way to<br />
protect <strong>IPSec</strong> packet headers from NAT modifications. When the Nat-traversal<br />
option is enabled, outbound encrypted packets are wrapped inside a UDP IP<br />
header that contains a port number. This extra encapsulation allows NAT devices<br />
to change the port number without modifying the IPsec packet directly.<br />
To provide the extra layer of encapsulation on <strong>IPSec</strong> packets, the Nat-traversal<br />
option must be enabled whenever a NAT device exists between two <strong>FortiGate</strong><br />
<strong>VPN</strong> peers or a <strong>FortiGate</strong> unit and a dialup client such as FortiClient. On the<br />
receiving end, the <strong>FortiGate</strong> unit or FortiClient removes the extra layer of<br />
encapsulation before decrypting the packet.<br />
When a NAT device performs network address translation on a flow of packets,<br />
the NAT device determines how long the new address will remain valid if the flow<br />
of traffic stops (for example, the connected <strong>VPN</strong> peer may be idle). The device<br />
may reclaim and reuse a NAT address when a connection remains idle for too<br />
long. To work around this problem, when you enable NAT traversal, you can<br />
specify how often the <strong>FortiGate</strong> unit should send periodic keepalive packets<br />
through the NAT device in order to ensure that the NAT address mapping does<br />
not change during the lifetime of a session. The keepalive interval should be<br />
smaller than the session lifetime value used by the NAT device.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
140 01-30005-0065-20070716