| VPN (Visual Private Network) based on IPSec and NAT (Network Address Translation) are excellent technologies that are widely used in network. VPN can establish private network in public network that allows data transmit safely through the encrypted tunnel. The clients only need to connect to the local public network, the data can be transmitted in the public network safely. NAT is an IETF (Internet Engineering Task Force) standard, allowing a whole organization appear on Internet by one public IP address. It is capable of translating the interior private network address to the legal network IP address. NAT not only improves efficiency of IP address utilization, saves much money the corporations spend in registering IP, but also enhances the system's security because of another characteristic of NAT, namely, its capability to let many computers share one IP address, which allows NAT gateway covers up both the interior private network and the public network. Recently, NAT is often used in firewall, gateway or Router.At present, because VPN and NAT are incompatible, the two excellent technologies cannot co-exist in network at the same time. The reason is that NAT destroys the tunnel established by VPN. That is, while establishing communication tunnel, VPN does encrypting and decrypting to the data package address and check sum, which is changed by NAT; If this problem is solved, mass medium and small sized enterprises could exchange data safely at a lower cost. Consequently, it has a prosperous future of application.Based on the theories of IPSec and NAT, the reasons why they are incompatible are presented. Several feasible ways to deal with the incompatibility are analyzed and compared. At last, combining the least-cost principle with the practical needs of today's medium and small sized enterprises, the method of using UDP encapsulation with certain modification and expansion of IKE protocol is fixed to complete the NAT traversal. In this way, the appended data process can be reduced to the least, and the present NAT equipment needs no reconfiguration. It is a good way to solve the problem before IPv6 is put into practice. From the user's perspective, this solution costs less and permits VPN and NAT work together.According to the data processing in NAT traversal, the general structure of NAT traversal is made. The structure clearly describes how to modify and expand the functions under the present protocol in order to accomplish NAT traversal. Two key... |
