NAT Passthrough Mode Overview

NAT devices can change the IP address and port number of a traversing IP packet. Encrypted frames, in which an ESP header follows the IP header, may or may not pass through a NAT device.

You can set up a router to run in NAT passthrough mode, which causes the router to not check UDP checksums. The reason is that a NAT device may change the IP address while the UDP header is encrypted. In this case, the UDP checksum cannot be recalculated. Not checking UDP checksums does not compromise security because IPsec protects UDP with an authentication algorithm far stronger than UDP checksums. To set up the router to run in NAT passthrough mode, use the application l2tp-nat-passthrough command.

We recommend that you configure the router to use NAT passthrough mode when the NAT device provides a feature commonly known as IPsec passthrough.

For information about configuring NAT passthrough mode as part of an IPsec transport profile, see Configuring the Type of Application Secured by Connections Created with an IPsec Transport Profile.

Related Documentation