Network address translation for VPN

VPN provides a means for performing network address translation, called VPN NAT. VPN NAT differs from traditional NAT in that it translates addresses before applying the IKE and IPSec protocols. Refer to this topic to learn more.

Network address translation (NAT) takes your private IP addresses and translates them into public IP addresses. This helps conserve valuable public addresses while at the same time allows hosts in your network to access services and remote hosts across the Internet (or other public network).

In addition, if you use private IP addresses, they can collide with similar, incoming IP addresses. For example, you might want to communicate with another network but both networks use 10.*.*.* addresses, causing the addresses to collide and all packets to be dropped. Applying NAT to your outbound addresses might appear to be the answer to this problem. However, if the data traffic is protected by a VPN, conventional NAT will not work because it changes the IP addresses in the security associations (SAs) that VPN requires to function. To avoid this problem, VPN provides its own version of network address translation called VPN NAT. VPN NAT performs address translation before the SA validation by assigning an address to the connection when the connection starts. The address remains associated with the connection until you delete the connection.

Note: FTP does not support VPN NAT at this time.
How should I use VPN NAT?
There are two different types of VPN NAT that you need to consider before you begin. They are:
VPN NAT for preventing IP address conflicts
This type of VPN NAT allows you to avoid possible IP address conflicts when you configure a VPN connection between networks or systems with similar addressing schemes. A typical scenario is one where both companies want to create VPN connections by using one of the designated private IP address ranges. For example, 10.*.*.*. How you configure this type of VPN NAT depends on whether your system is the initiator or the responder for the VPN connection. When your system is the connection initiator, you can translate your local addresses into ones that are compatible with your VPN connection partner's address. When your system is the connection responder, you can translate your VPN partner's remote addresses into ones that are compatible with your local addressing scheme. Configure this type of address translation only for your dynamic connections.
VPN NAT for hiding local addresses
This type of VPN NAT is used primarily to hide the real IP address of your local system by translating its address to another address that you make publicly available. When you configure VPN NAT, you can specify that each publicly known IP address be translated to one of a pool of hidden addresses. This also allows you to balance the traffic load for an individual address across multiple addresses. VPN NAT for local addresses requires that your system act as the responder for its connections.

Use VPN NAT for hiding local addresses if you answer yes to these questions:

  1. Do you have one or more systems that you want people to access by using a VPN?
  2. Do you need to be flexible about the actual IP addresses of your systems?
  3. Do you have one or more globally routable IP addresses?

The scenario, Use network address translation for VPN provides you with an example of how to configure VPN NAT to hide local addresses on your IBM® i model.

For step-by-step instructions on how to set up VPN NAT on your system, use the online help available from the VPN interface in IBM Navigator for i.