09/29/2023 
52 People found this article helpful
470,921 Views
Description
NOTE: This article describes about NAT traversal taking tunnel mode and ESP protocol as an example, NAT traversal also supported in AH protocol and in transport mode.
What is NAT-T or NAT traversal in IPSEC VPN?.
Traditionally, IPsec does not work when traversing across a device doing NAT/PAT(Network Address Translation and Port Address Translation), meaning if either one of the devices or both the devices terminating IPSEC is behind a NAT device, IPSEC will not work. To overcome this problem, NAT-T or NAT Traversal was developed.
NAT-T is an IKE phase 1 algorithm that is used when trying to establish a IPSEC VPN between two gateway devices where there is a NAT device in front of one of the gateway devices or both the gateway devices.
What is the Purpose of using NAT-T feature?.
In IPSEC, all critical information along with UDP/TCP header is encapsulated within ESP or AH header, ESP and AH itself is an protocol like TCP or UDP and carries no port information.If a NAT device is in between two IPSEC gateways anddoingmany to one NAT, it needs to do PAT(Port address translation) as well to maintain a consistent and proper session table. If a packet is encapsulated by ESP or AH header, PAT/NAT device will not have port information to translate source port and result is IPSEC traffic will not pass through the PAT/NAT device.When we use NAT-T Feature, IPSEC traffic is encapsulated using UDP header with source and destination port number as 4500 and provides port information for the NATdevice to do Port Address Translation. How does NAT-T or NAT traversal works: In IKE main mode, first two messages detect whether NAT-T feature is supported on the IPSEC gateways and three and four messages detects whether there is NAT device between IPSEC gateways. If IPSEC gateways support NAT-T feature, both devices send NAT-D(NAT Discovery) payload, payload is the hash of source and destination IP and Source and destination port, receiving device will recalculate the hash, if hash matches there is no NAT device in between, if hash doesn't match there is a NAT device in between. If the IPSEC gateways detects an existence of NAT device, from message five and six of Phase 1, all IPSECpackets are encapsulated using UDP header with source and destination as port 4500(including quick mode messages and user data).
Packet Format of ESP in tunnel Mode without NAT-T
Packet Format of ESP in tunnel Mode withNAT-T:
NOTE: To perform NAT traversal process both the IPSEC gateway devices should support NAT-T even though a particular device is not behind NAT device.
Resolution
Resolution for SonicOS 7.X
This release includes significantuser interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- Navigate to Network | IPSec VPN | Advanced | Enable NAT traversal.
- By default in all SonicOS, NAT traversal will be enabled.
NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.
Resolution for SonicOS 6.5
This release includes significantuser interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Navigate to Manage |Connectivity |VPN | Advance settings| Enable/Disable NATtraversal.
- By default in all SonicOS, NATtraversal will be enabled.
NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- Navigate to VPN settings|Advance settings| Enable/Disable NATtraversal.
- By default in all SonicOS, NATtraversal will be enabled. NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.
Related Articles
- NSv upgrade from 7.0.1 to 7.1.X
- Netextender failing to connect with error "Initializing engine…failed"
- High Availability setup not working - Error Contacting Peer HA Firewall
Categories
- Firewalls > TZ Series > VPN
- Firewalls > NSa Series > VPN
- Firewalls > NSv Series > VPN
Not Finding Your Answers?
ASK THE COMMUNITY
YES
NO