IPsec VPN uses a different protocol (ESP) for the actual data transfer than for establishing the connection (IKE). Since the ESP protocol does not use network ports, NAT (Network Address Translation) routers may have difficulties handling it correctly. Only NAT routers that support "IPSec Passthrough" (sometimes also named "VPN Passthrough" or "ESP Passtrhough") and where this option is also enabled, can handle ESP data packets.
To work around this problem, two alternative tunneling methods exist:
- NAT-Traversal (old, RFC draft version)
- NAT-Traversal (new, RFC standard version)
Which of these methods will work with your connection depends on two properties:
- Which of these methods allows traffic to pass through your local Internet router.
- Which of these methods are supported by your VPN remote gateway.
To test for the first property, VPN Tracker will automatically establish three VPN test connections to a VPN gateway hosted by us whenever it detects a new router that has not been tested before. One connection uses plain ESP, the other two either NAT-T method mentioned above. It will remember the test results for this router and take them into account whenever you start a connection from the network location. The reason we are testing with our own gateway is simply that the test requires a gateway supporting all three methods, with a known configuration and a simply way to verify if traffic did arrive at that gateway.
The second property is not tested in advance, VPN Tracker will become aware of that information when it actually tries to connect to your VPN gateway. VPN Tracker will compare the methods your gateway supports with the stored test results. If there is a match, a method that your gateway supports and that was also working during the test, this method will be used. If there is no match, VPN Tracker will immediately stop and show an appropriate error in the log, explaining the situation.
If you suspect a NAT-Traversal issue or you think the previous test results may be wrong or outdated, simply re-run the test:
‣ Make sure NAT-Traversal (Advanced tab) is set to Automatic
‣ Go to "Tools" > "Test VPN Availability"
‣ Click "Test Again"
‣ Wait until the test has completed, then connect to your VPN
The test dialog also allows you to tell VPN Tracker to not test the current location and forget any previously created test results. This is rarely needed and also not recommended but there might be situation where the test results are wrong because access to our VPN gateway is not possible (e.g. it is blocked) and thus the test result are just bogus and say nothing about the true capabilities of your VPN gateway.