Print Download PDF Send Feedback

Previous

Next

Resolving Connectivity Issues

In This Section:

IPsec NAT-Traversal

IPsec NAT-Traversal

NAT-T (NAT traversal or UDP encapsulation) makes sure that IPsec VPN connections stay open when traffic goes through gateways or devices that use NAT.

When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. To protect the original IPsec encoded packet, NAT traversal encapsulates it with an additional layer of UDP and IP headers.

For IPsec to work with NAT traversal, these protocols must be allowed through the NAT interface(s):

Configuring NAT-Traversal

To configure NAT-T for Site to Site VPN:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers.
  2. Open the applicable Security Gateway object with enabled IPsec VPN Software Blade.
  3. From the left tree, click IPsec VPN > VPN Advanced.
  4. Make sure to select Support NAT traversal (applies to Remote Access and Site to Site connections).

    NAT-Traversal is enabled by default when a NAT device is detected.

  5. Click OK.
  6. Install the Access Control Policy.

Advanced NAT-T Configuration

These variables are defined for each Security Gateway and control NAT-T for Site to Site VPN:

Item

Description

Default Value

offer_nat_t_initator

Initiator sends NAT-T traffic

false

offer_nat_t_responder_for_known_gw

Responder accepts NAT-T traffic from known gateways

true

force_nat_t

Force NAT-T, even if there is no NAT-T device

false

The variables can be viewed and changed in GuiDBedit Tool (see sk13009):

  1. In the top left pane, click TABLE > Network Objects > network_objects.
  2. In the top right pane, select the applicable Security Gateway object.
  3. In the bottom pane, see the VPN section.
  4. Save the changes: click File menu > Save All.
  5. In SmartConsole, install the Access Control Policy on this Security Gateway object.