Resolving Connectivity Issues

In This Section: IPsec NAT-Traversal

IPsec NAT-Traversal

NAT-T (NAT traversal or UDP encapsulation) makes sure that IPsec VPN connections stay open when traffic goes through gateways or devices that use NAT.

When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. To protect the original IPsec encoded packet, NAT traversal encapsulates it with an additional layer of UDP and IP headers.

For IPsec to work with NAT traversal, these protocols must be allowed through the NAT interface(s):

• IKE - UDP port 500
• IPsec NAT-T - UDP port 4500
• Encapsulating Security Payload (ESP) - IP protocol number 50
• Authentication Header (AH) - IP protocol number 51

Configuring NAT-Traversal

To configure NAT-T for site-to-site VPN:

1. Open the Gateway Properties of a gateway that has IPsec VPN enabled.
2. Select IPsec VPN > VPN Advanced.
3. Make sure that Support NAT traversal (applies to Remote Access and Site to Site connections) is selected.

   NAT-Traversal is enabled by default when a NAT device is detected.

Advanced NAT-T Configuration

These variables are defined for each gateway and control NAT-T for site-to-site VPN:

Item	Description	Default Value
offer_nat_t_initator	Initiator sends NAT-T traffic	false
offer_nat_t_responder_for_known_gw	Responder accepts NAT-T traffic from known gateways	true
force_nat_t	Force NAT-T even if there is no NAT-T device	false

The variables can be viewed or changed in GuiDBedit Tool (see sk13009):

1. In the left pane, click TABLE > Network Objects > network_objects.
2. In the right pane, click <gateway_object>.
3. In the bottom pane, see VPN.