
Configure Microsoft® Windows XP** Virtual Private Network (VPN) client interoperability with NAT-T support 3
Solution requirements
NAT-T is available from software release 2.6.4 or 2.6.6 for the following products:
• AR410
• AR450s
• AR44xx series routers
• AR700 series routers
Other products may include NAT-T with future software releases.
The following products depend on either the Encryption Mini Accelerator Card (EMAC) or the
Encryption PCI Accelerator Card (EPAC) to perform encryption.
• The AR300 series router family
• The AR410 router
• The AR700 series router family
• The Rapier series switches.
While the switching products can be configured as VPN gateways, this is usually not a
recommended practice. Doing so means you will lose wire-speed switching of data, because all
traffic needs to be inspected by the Firewall and IPSec modules at CPU processing speed.
On all products, feature licences are required if you want to access Triple-Digital Encryption
Standard (3DES) or Advanced Encryption Standard (AES) encryption. Single DES is available by
default on purchase of the encryption card. 3DES and AES are strategic export encryption products
and you will need to apply to your local Allied Telesyn Office or Distributor before purchasing the
feature licences.
An ISAKMP licence should already be loaded on your router. If not, contact your local distributor.
Note: An encryption card is not necessary on the AR450S or AR44x series, as it is built into the product.
If you wish to configure a Microsoft Windows 2000 VPN call with NAT-T support, refer to the
“How To Configure Microsoft Windows 2000 Virtual Private Network (VPN) Client Interoperability with
NAT-T support” document at
http://www.alliedtelesyn.co.uk/en-gb/solutions/techdocs.asp
For the VPN client solution given in this document to work, your office must have a fixed Internet
address. This is the target address for the VPN client. Depending on whether the office uses a
NATing gateway device or not, this Internet address will either belong to the NAT gateway or the
VPN peer router (see Figure 1).
Please note that many ISPs assign dynamic addresses as standard practice, and these addresses can
change periodically. It is likely you will need to specifically ask for a fixed address for your office.
If the office uses a NATing gateway device, it must be configured with allow rules (or “pinholes”) for
UDP 500 and UDP 4500 traffic.
Komentáře k této Příručce