dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
552
share rss forum feed


superataru

join:2004-12-07
Kearny, NJ

Optional NAT-T

Hi all folks.
Some weeks ago, i configured a very interesting hub-and-spoke similar configuration (not standard as i had not all USGs).

USG200 (HQ)---P662
| | |___P662
| |__P662
|_USG20

With a functional IPSEC Tunnels' routing between all branch offices, and also with SSL Tunnels to HQ, and to Branches, via HQ.

USG200 got 2 WAN in load balancing. And also IPSEC VPN USG20->USG200 is configured with Main and Backup endpoints.

Some days ago ISP made some variations on WAN two. I have always same IP, always Static, but, performing traceroute to a remote site, i've seen we pass trhu a private addressing Provider's network.

So Primary/Backup policy does not work anymore, 'cause i need NAT-T for one of the Gateway policies. Not required for the main line.

At home i use a Clavister G50 Firewall, that has a useful setting: "Use NAT-T if required".

Do you know something like this, with a Tip that i don't know?

Thanks in advance.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8

You can enable NAT Traversal in VPN Gateway settings but you need to 'Show Advanced Settings' first.



superataru

join:2004-12-07
Kearny, NJ

I know it ... Brano (is my image so compromised? )

I mean: device enable or disable it, if not needed.

I got one No-NAT-T end point that has to switch automatically from one Not-NAT-T to a NAT-T-required end point.



superataru

join:2004-12-07
Kearny, NJ

Ok. Italian ZyXEL Assistance confirms no way, atm, to have a dynamic management. of NAT-T feature.

Bye all.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Was that the Berlusconi Zyxel Womens Rights Hotline Support or the Vatican Zyxel Gay Rights Hotline Support??



superataru

join:2004-12-07
Kearny, NJ



Well, worst Vatican facts are always with "stars & stripes"
Anyway ... Berlusconi is still alive, and no way to change him with Obama .

But maybe we could go deeper: one leader is a comedian ...

------------------------------------------------

I hope ZyXEL will add this feature asap, very useful in this scenario (and when ISP has so nice ideas ...).

Bye.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Well two things,
a. are you in NJ or in Italy LOL
b. im from canada, so quoting anything other than maple leafs and Harper, is not my concern, well until the heavily armed baptist terrorists invade us looking for poutine and clean water.

I started another thread to which you should add your requirement on NAT-T dynamic.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



superataru

join:2004-12-07
Kearny, NJ

1 edit

LOL^3

Italian (hippy), i changed it in a in a moment of cerebral perfusion.
Do not remember how to reache the options' page

Seen the post. I will add some rows.

Tnx



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8
Reviews:
·TekSavvy DSL
·Bell Fibe

I can't help it, but my feeling of NATT setting in ZyXel is that if you enable it it's used only when really needed. I do always enable it for all VPNs and both types of connections work (those that I know sure have NAT in a path and those that I know for sure don't).



superataru

join:2004-12-07
Kearny, NJ

Yep, mate.
That's why i need this feature.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8

1 recommendation

What am I missing?
NAT-T is dynamically used as needed. You have the option to enable it or disable it in the VPN rule.
What NAT-T on/off switch are you looking for?



superataru

join:2004-12-07
Kearny, NJ

1 edit

Hi Brano.
Nope, to me.
Suppose you got a HA VPN setup.
-One WAN connection needs NAT-T for the VPN to work.
- One doesn't.
Build the VPN with the first one as primary, then unplug cable.
VPN goes down, and does not work until you turn to not NAT-T the Gateway Policy.
And vice-versa if you set the not NAT-T as primary.

I mean this.

In my experience, not required NAT-T does not work fine or does not work at all.
VPN-HA does not manage it dinamically.

Do yours work?