Protocol overview

Although networks can use private IPv4 addresses they want, they are not necessarily connected to the Internet or other remote networks. They must use public routable IPv4 addresses for applications to function properly and to be routed on the Internet.

However, IPv4 public and routable addresses are limited. Turbo IPsec provides a solution by hiding the IP addresses of the internal devices, making internally generated packets appear as though they are coming from another device that does have a public and routable address.

This mechanism is called NAT and is represented in the following figure, where private addresses are translated to one public address to access the Internet


Several public addresses may be used.


NAT: Address translation

NAT process

NAT translation changes the source address and port of the outgoing packets as well as the destination address and port of the incoming packets. To perform this translation, the NAT process maintains a translation table.

In dynamic mode, this table is updated when a new outgoing session is detected. In this mode, translation is possible only if the traffic is initiated from the private network (mono-directional). The lifetime of translation entries is limited and depends on the state of the session (especially for TCP sessions). The translation address is always the IPv4 address of the NAT interface (the router’s public interface). If necessary, the source port can be changed to avoid confusion between sessions toward the same host and port.

The translation table can also be updated manually by configuring static associations. This is the static mode. In this mode, the translation operates when the traffic is initiated from the private network as well as from the public one (bi-directional). The lifetime of translation entries is infinite. Static translation rules can be set with address and/or protocol and port. They are mainly used to proxy external connections to internal connections.

Static and dynamic modes can run simultaneously.


Encapsulating IPv4 packets (6in4, 4in4) cannot be sent to NAT, because they do not have any session ID (for example a port number).