The encryption techniques used for secure transport are standard-based IPsec that includes encapsulating security payload (ESP). As part of the secure transport feature, the SteelHead can further encapsulate ESP packets in UDP. This encapsulation allows the SteelHead to leverage the private to public address translation, commonly referred to as NAT, which occurs at the boundary device between the private LAN and public WAN.

By default, RiOS uses UDP port 4500. On the SCC, NAT traversal is employed when you mark that a network is public and securable.

For each SteelHead to use a public and securable path, the SteelHead must register its public IP address to the controller. On the SteelHead, you configure the public IP address and port number as part of the in-path interface configuration.

You must manually enter the public IP address because it is not automatically discovered. If the public IP address changes, you must change it on the SteelHead. We recommend that you use a static IP address from your service provider for a network configured as public.

If providing secure transport services over a public network in which NAT is used, the SteelHead acting as the controller must have its public IP address also assigned. This configuration is performed at the CLI for any SteelHead that’s an available controller.