In This Section: |
NAT-T (NAT traversal or UDP encapsulation) makes sure that IPsec VPN connections stay open when traffic goes through gateways or devices that use NAT.
When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. To protect the original IPsec encoded packet, NAT traversal encapsulates it with an additional layer of UDP and IP headers.
For IPsec to work with NAT traversal, these protocols must be allowed through the NAT interface(s):
To configure NAT-T for site-to-site VPN:
NAT-Traversal is enabled by default when a NAT device is detected.
These variables are defined for each gateway and control NAT-T for site-to-site VPN:
Item |
Description |
Default Value |
---|---|---|
|
Initiator sends NAT-T traffic |
false |
|
Responder accepts NAT-T traffic from known gateways |
true |
|
Force NAT-T even if there is no NAT-T device |
false |
The variables can be viewed or changed in GuiDBedit Tool (see sk13009):