Passing IPsec traffic through any NAT device such as a router or a separate firewall in front of the VPN gateway/client, can cause problems. IPsec normally uses Protocol 50, which embeds IP addresses within the data packets. Standard NAT doesn't change these addresses and the recipient VPN gateway receives VPN packets containing private (nonroutable) IP addresses. In this situation, the VPN can't work.
However, the Smoothwall can operate in IPsec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPsec VPN traffic. UDP isn't affected by the NAT process. The other end of the VPN tunnel needs to support NAT traversal. SSH Sentinel supports this mode, as do the vast majority of other modern VPN gateway devices.
Note: Any IPsec VPN client connections from a local network behind the Smoothwall that connect to another vendor's VPN gateway will also need to use NAT traversal rather than Protocol 50 for the reasons previously stated. NAT traversal is a VPN gateway feature, not a NAT feature.
Something not right? Send us feedback.