< Home

DSVPN NAT Traversal

In Figure 1, when private networks of Spokes connect to the Hub through Network Address Translation (NAT), NAT traversal must be implemented to establish VPN tunnels between the Hub and Spokes, and between Spokes. DSVPN NAT traversal can be deployed so that Spokes can directly communicate across the NAT device.

Figure 1 DSVPN NAT traversal

DSVPN NAT traversal is implemented by encapsulating original and translated addresses of Spokes in NAT extension fields of NHRP Registration Reply packets and NHRP Resolution Request or Reply packets. The implementation is as follows:

  1. The Spokes send NHRP Registration Request packets to the Hub. The NHRP Registration Request packets carry public or private network addresses of the Spokes.
  2. NHRP on the Hub detects whether a NAT device exists between the Hub and Spokes. If the NAT device exists, the Hub encapsulates translated public addresses of Spokes in NAT extension fields of NHRP Registration Reply packets and sends the packets to the Spokes.
  3. The source Spoke sends an NHRP Resolution Request packet to the destination Spoke. The packet carries the original address and translated public address in NAT extension fields of the source Spoke.
  4. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke. The packet carries the original address and translated public address in NAT extension fields of the destination Spoke.
  5. The source and destination Spokes learn the original address and translated public network address of each other and establish an mGRE tunnel based on the translated public address. By doing this, Spokes can directly communicate across the NAT device.
  • NAT traversal cannot be implemented on a DSVPN network if two Spokes use the same NAT device and their original addresses are translated to the same public network address.
  • NAT traversal cannot be implemented if two Spokes are behind different NAT devices, and Port Address Translation (PAT) is enabled on the NAT device.
  • When branches need to communicate with each other, the NAT device must be configured with an NAT server. NAT traversal cannot be implemented if source NAT PAT is configured on the NAT device.
  • When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport mode if two branches are connected to different NAT devices or the headquarters is connected to a NAT device. This is because NHRP cannot learn post-NAT IP addresses when the IPSec encapsulation mode is tunnel mode.
Parent Topic: Understanding DSVPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >