IPSEC pass through testing

2 min read

IPSEC pass through is a technique for allowing IPSEC packets to pass through a NAT router. By itself, IPSEC does not work when it travels through NAT. Newer IKE and IPSEC implementations support NAT-Traversal which is a technique to detect NAT and switch to UDP encapsultion for IPSEC ESP packets. However, many router vendors have developed a “pass through” technique that allows IPSEC packets to pass through NAT without NAT-T support.

IPSEC pass through implementations can vary in the features that they support. Early implementations of IPSEC pass through only supported a single client passing through NAT. Others allow multiple connections as long as each client is using a different VPN server. More advanced implementations use cookie tracking for IKE and SPI tracking for IPSEC to support multiple connections through NAT.

CDRouter contains a few IPSEC pass through related testvars that can be used to control the testing of an IPSEC pass through implementation.

IPSEC Pass Through Options in CDRouter

testvar supportsIPSECpass yes


To enable IPSEC pass through testing, the testvar supportsIPSECpass must be set to yes. Otherwise, any IPSEC pass through tests will be skipped.

testvar alwaysUseIke yes

Some pass through mechanisms do not work unless IKE is used. You can enable the tests to always create an IKE session when IPSEC pass through is tested. NOTE: These types of implementations do not support manually keyed tunnels where there is no IKE.

testvar ipsecPassRetransmit yes

By default, the IPSEC pass through tests do not always retransmit multiple packets. Some pass through mechanisms always drop the first packet. You can turn on IPSEC retransmissions so that multiple IPSEC packets will be sent during the test.

testvar ipsecMaxTunnels 10

The ipsecMaxTunnels testvar controls how many IPSEC pass through sessions CDRouter will attempt to create.

testvar ipsecScaleSameServer yes


During the IPSEC scaling tests in the scaling.tcl module, CDRouter creates multiple IPSEC tunnels to different VPN servers. Each client connection uses a unique IP destination address for the VPN server. You can configure CDRouter to use the same VPN server for each IPSEC connection using the testvar ipsecScaleSameServer.

testvar unknownPassthrough yes


If the pass through mechanism works for other IP protocol types, you can set the testvar unknownPassthrough to yes.

testvar ipsecAddressType private

Most routers support IPSEC pass through using private addresses on the LAN interface. Normally, the ipsecAddressType should be set to ‘private’. However, some routers require a DMZ type configuration where the public IP address is used on the LAN side. In these cases, the ipsecAddressType should be set to public.