Coordinator Connection via Firewall with Dynamic NAT

This connection option is suitable if you need to protect the IP traffic of nodes in the local network, and there is a firewall or NAT device on the border of the local network that won't let you easily set static rules of address translation. In this case, we recommended you install ViPNet Coordinator and set the parameters of connection (via a firewall with dynamic address translation) on one of the network interfaces of this coordinator. After that, you should set all the ViPNet clients on your local network to work through this coordinator.

A connection via a firewall with dynamic address translation is the universal connection and can be used practically in any case. However, the main purpose of this connection is to provide a secure, two-sided link with nodes working through NAT devices that make it difficult or impossible to set static rules of address translation (including the absence of user rights). This situation is typical for elemental network devices like DSL or wireless routers, or when Internet Connection Sharing (ICS) is used. It is also often impossible to configure the NAT devices of mobile phone providers (eg, GPRS, UMTS networks), home networks and other providers giving private addresses.

All NAT devices pass UDP traffic using the automatic creation of so-called dynamic NAT rules. These rules are created on the assumption that parameters of outgoing packets pass through the NAT device. If the parameters correspond to the parameters of a dynamic rule, the packets are passed for some time. A specific amount of time after the last outgoing packet, the dynamic rule is erased and incoming packets are blocked by the NAT device. This means, the external source cannot initiate a connection with a network node working through a NAT device, without receiving outgoing traffic first.

To overcome this problem, you must use the With dynamic address translation firewall type. Furthermore, a ViPNet coordinator, always accessible, must be located in external network. Let's call this coordinator the coordinator for incoming traffic. For a client, the coordinator for incoming traffic is its IP addresses server. The coordinator for incoming traffic can be reached directly or via a firewall with static addresses translation. The coordinator for incoming traffic shouldn't work through the same firewall as the client.

A network node working through a NAT device will periodically send UDP packets to its coordinator for incoming traffic. By default, the sending period is every 25 seconds. This allows any external network node to send IP packets to the network node via the coordinator for incoming traffic. In response, the network node will always send reply outgoing IP packets directly to the external node, by-passing the coordinator for incoming traffic.

After receiving the first IP packet, the external network node will transfer all IP traffic to the network node working through a NAT device. In such a way, direct UDP traffic exchange between ViPNet nodes is created. Such a technology provides uninterrupted access to ViPNet nodes working through NAT devices (because dynamic rules cannot be deleted on the NAT device). At the same time, it creates a high speed of encrypted traffic exchange, since such an exchange uses coordinators for incoming traffic when initializing only and then all traffic exchange is done directly between ViPNet nodes.

To configure a coordinator's connection via a firewall (NAT) where static rules of address translation are difficult or impossible:

1. Select the coordinator node and click the Firewall tab.
2. Ensure there is a tick in the Use firewall check box.
3. Select With dynamic address translation from the Firewall type drop-down box.

   

4. Select the IP address of the network interface that connects to the firewall from the IP address of network interface connected to the firewall drop-down list box. If you cannot specify the exact IP address and want to do it manually on the coordinator node itself, select Chosen on the network node.

   Note: To display a list of IP addresses, you should have previously specified them via the IP addresses tab.

5. If you know the IP addresses of the external interface of the firewall (and they are not changed dynamically):
   1. Click the Add button in the External firewall IP addresses section of the screen.

      The IP address window appears:

      

   2. Type an IP address and click OK. Note: IP addresses must be unique. If an IP address already exists, the program will warn you.
6. Select the coordinator that will pass traffic through the firewall from the Coordinator for incoming traffic drop-down box.

   Note: This coordinator must be located in a network external to the coordinator you are setting (ie. they must be separated by firewall). The coordinator for incoming traffic must be accessible (directly or through a firewall with static address translation) and mustn't work through the same firewall as the coordinator you are setting. You can choose a coordinator that is connected with this coordinator.

   If you want the network configuration you are creating to work correctly, the coordinator for incoming traffic should not work through a firewall with dynamic address translation or another coordinator.

7. If the Positional relationship between network node and coordinator drop-down list box displays, you have chosen a coordinator for incoming traffic that works through a firewall with dynamic address translation or another coordinator. Either:
   • Select another coordinator from the Coordinator for incoming traffic drop-down box, or
   • If you want to create a special configuration, leave the default value In the same local network (the same routing).
8. Specify how often the coordinator for incoming traffic will pass incoming traffic through the firewall from the Coordinator polling period field. The default is 25 seconds. The poll period mustn't be much more than the session timeout for the dynamic rule on the NAT device. Different NAT devices have different session timeouts, but usually the session timeout is no less than 30 seconds.
9. If you want all connections with other network nodes to be done only through the coordinator for incoming traffic (ie. the technology described above won't be used), tick the Entire VPN traffic with external nodes to be directed through coordinator check box. Note: Due to increased traffic, the speed of data exchange can slow down. Otherwise, you can achieve more stable connections in the ViPNet network.

Back to top

© 2007 Infotecs