Back
NAT TRAVERSAL

What is NAT Traversal?

Overview

The IPSEC NAT  Traversal feature introduces IPSEC traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) device in the network by addressing many incompatibilities between NAT and IPSEC.

NAT Traversal is a UDP encapsulation which allows traffic to get the specified destination when a device does not have a public address.

IPSEC provides confidentiality, authenticity and integrity. However, problem occurs when a NAT device does its NAT translations, however the address of the source within the IP payload does not match the source address of the IKE packet as it is replaced by the address of the NAT device during NAT translation. Authenticity, integrity will break which will cause the packet by the remote peer to be dropped.

NAT and IPSEC are incompatible with each other and it can be resolved by using NAT Traversal. NAT Traversal adds a UDP header which encapsulates the IPSEC ESP packet. New UDP packet is not encrypted and is treated just like a normal UDP packet the NAT device can make the required changes and process the message which would now overcome the problem.

Related – Proxy vs NAT

NAT and IPSEC Incompatibility and Solution

  • Internet Key Exchange (IKE) IP Address and NAT

This incompatibility applies only when IP addresses are used as a search key to find a pre shared key. Modification of the IP source or destination addresses by NAT or reverse NAT results in a mismatch between the IP address and the pre shared key.

  • Embedded IP Addresses and NAT

Because the payload is integrity protected, any IP address enclosed within IPSEC packets cannot be translated by NAT because embedded IP address is used by FTP, SNMP, LDAP and SIP.

UDP encapsulation addresses incompatibility issues between IPSEC and NAT.

  • Incompatibility between IPSEC ESP and PAT Resolved

To prevent this situation UDP encapsulation is used to hide the ESP packet behind the UDP header. PAT treats the ESP packet as a UDP packet and the ESP packet as a normal UDP packet.

  • Incompatibility between Checksums and NAT Resolved

The checksum value is always zero. This value prevents an intermediate device from validating the checksum result against the packet checksum. Resolving the TCP UDP checksum issue by NAT changes the IP source and destination addresses.

  • Incompatibility between IKE Destination Ports and PAT Resolved

PAT changes the port in the new UDP header for translation and leaves the original payload as it is. In phase 1 setup, three ports must be open on the device that is doing NAT for VPN –

  • UDP port 4500 for NAT traversal
  • UDP port 500 for IKE and
  • IP protocol 50 or ESP

After this, the data is sent using IPSEC over UDP which is effectively NAT Traversal. The receiving peer first De-capsulate the IPSEC packet from its UDP packet and then processes the traffic as a standard IPSEC packet.

Benefits of NAT Traversal

Before the NAT traversal, a standard IPSEC virtual private network (VPN) tunnel would not work if there were one or more NAT or PAT device in the path of the IPSEC packet. NAT IPSEC feature aware allows remote access users to build IPSEC tunnels to home gateways. The IPSEC NAT Transparency feature permits IPSEC traffic to travel through NAT or PAT device in the network by encapsulating IPSEC packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT configured devices.

  • Configuring NAT Traversal

NAT Traversal is a feature that is auto detected and enabled by default. There are no configuration steps. If both devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.

  • Disabling NAT Traversal

To disable NAT traversal, following command is used –

#no crypto IPSEC NAT-transparency udp-encapsulation

 

Conclusion

NAT-T is a method of assigning Public IP address and encountering problem when data protected by IPsec passes through a NAT device and changes to the IP address cause IKE to discard packets. During the Phase 1 exchanges, NAT-Traversal adds a UDP encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP port 4500 used as both the source and destination port.

Related – NAT CHEATSHEET

Tag:

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)

You may also like

Simplifying Power over Ethernet PoE Installation
Simplifying Power over Ethernet PoE Installation
19 November, 2024
Cloudflare – What is it
What is Cloudflare? Working, Uses, Pros & Cons
14 November, 2024
Configure DHCP Relay Traffic to Use SD-WAN Rules
Configure DHCP Relay Traffic to Use SD-WAN Rules
12 November, 2024

Leave A Reply

Your email address will not be published. Required fields are marked *

18 − 5 =

Select your currency
USD United States (US) dollar
INR Indian rupee