This method is employed by vendors such as D-Link Systems, Linksys and Macsense Connectivity. You can expect to spend between $100 and $200 for an SME NAPT router.
Any IPsec packets that come into the NAPT device are forwarded by default to the designated host. This is accomplished because the client starts the negotiation by sending data to the other end on Port 500. That process signals the NAPT device to send all IPsec data back. Both ESP and AH are IP protocols and are assigned protocol Nos. 50 and 51, respectively. While not the most robust implementation, it does work for single installations. But what happens in the case where there are multiple workstations wanting to use IPsec?
In that case, you should get a product like Nexland's ISB2LAN or Asante Technologies' FriendlyNet 10/100 cable/DSL router, which supports multiple IPsec clients behind a NAPT device. These more robust products run between $150 and $250, depending on the features.
To get NAPT to work, we have to rely on the uniqueness of the source port number to translate between the private and public networks. Thus, we can negotiate IKE without any special process because IKE is a UDP protocol using Port 500.
To pass IPsec traffic between hosts, we need something equally unique, and we find that in our friend the SPI. Remember, each IPsec SA is identified by the SPI, the destination IP address and the protocol number. When IKE is negotiated during VPN setup, the SPIs are being exchanged, and the NAPT device maps the pair of SPI numbers to the associated VPN endpoint behind the NAT (see "Translating IPsec").
