A virtual private network (VPN) extends a private network across a public network (such as an Internet), and enables users to send and receive data across shared or public network as if their computing devices were directly connected to the private network.
Referring to FIG. 1, which is a schematic diagram for VPN to send data by a public network. A client computer 2 in A network 1 is going, to send data 3 through a client VPN service 4, a public network 5 (for instance an Internet), a destination VPN service 6 to a destination computer 8 in B network 7.
Before the data 3 sent from A network 1 through the client VPN service 4, the client VPN service 4 will first allocate a pair of IP of the B network 7 to the client computer 2, therefore two sets of message will be added after the data 3, the first message is a TCP/UDP header, the second message includes a source IP of the B network and a destination IP of the B network. TCP means Transmission Control Protocol, UDP means User Datagram Protocol.
As the data 3 is sent to the public network 5, a third message will be added after the second message, i.e. an external IP of the client and an external IP of the destination, which are allocated by the public network 5 to the client VPN service 4 and the destination VPN service 6 respectively.
After the data 3 is sent by the public network 5 through the destination VPN service 6 to the B network 7, the external IP of the client and the external IP of the destination are peeled off so that the rest of the data 3 are sent to the destination computer 8.
In the present Internet environment, more and more users install NAT (Network Address Translator) servers. Network address translation (NAT) works as a firewall, and is a technique of remapping a source IP address of an IP packet into another while transiting across a network.
Referring to FIG. 2, if an NAT 9 is installed between the public network 5 and a local area network 12, when the data 3 is sent from the local area network 12, the source IP of the local area network 12 will be amended by the NAT 9 to the external IP of the NAT 9, and the source port X will be amended to Z by the NAT 9.
Referring to FIG. 3, if the NAT 9 is installed between the public network 5 and the client VPN service 4, when the data 3 is sent out from the client VPN service 4, the NAT 9 finds that the two sets of message after the TCP/UDP header are not so simple as those of the FIG. 2 to identify, and cannot to amend it to the external IP of the NAT 9, so an abandonment will be processed so as to destroy the continuation of the data.
There is an easy method to solve the problem in FIG. 3, as shown in FIG. 4, when the data 3 is sent out from the client VPN service 4, an extra UDP header is added after the two sets of message of the data 3, and an external IP of the client and an external IP of the destination are added after the extra UDP header, so the NAT 9 can amend the external IP of the client to an external IP of the NAT 9, and the data 3 can be passed through the public network 5 to arrive the destination VPN service 6. This is called an NAT-T (NAT-Traversal) method.
Referring to FIG. 5, if an NAT 10 is installed at the outside of the destination VPN service 6, since the destination VPN service 6 is arranged to receive data, there is no packet to be sent from the destination VPN service 6 to NAT 10, the port Y of the NAT 10 will not open to receive any data, so the data 3 is blocked by the NAT 10.