VPN Screens 13-9Contivity 221 VPN Switch User’s Guide13.7.1 NAT Traversal ConfigurationFor NAT traversal to work you must:¾ Use ESP security protocol (in either transport or tunnel mode).¾ Use IKE keying mode.¾ Enable NAT traversal on both IPSec endpoints.In order for VPN switch A (see the figure) to receive an initiating IPSec packet from VPN switchB, set the NAT router to forward UDP port 500 to VPN switch A.13.8 ID Type and ContentWith aggressive negotiation mode (see section 13.13.1), the Contivity 221 identifies incoming SAsby ID type and content since this identifying information is not encrypted. This enables theContivity 221 to distinguish between multiple rules for SAs that connect from remote VPNswitches that have dynamic WAN IP addresses. Telecommuters can use separate passwords tosimultaneously connect to the Contivity 221 from VPN switches with dynamic IP addresses.Regardless of the ID type and content configuration, the Contivity 221 does notallow you to save multiple active rules with overlapping local and remote IPaddresses.With main mode (see section 13.13.1), the ID type and content are encrypted to provide identityprotection. In this case the Contivity 221 can only distinguish between up to eight differentincoming SAs that connect from remote VPN switches that have dynamic WAN IP addresses. TheContivity 221 can distinguish up to eight incoming SAs because you can select between twoencryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and twokey groups (DH1 and DH2) when you configure a VPN rule (see section 13.14). The ID type andcontent act as an extra level of identification for incoming SAs.The type of ID can be a domain name, an IP address or an e-mail address. The content is the IPaddress, domain name, or e-mail address.