NAT-Traversal Overview

Using NAT passthrough mode is an adequate solution when a single remote user located behind a NAT device needs secure access to an E Series router. However, NAT passthrough mode does not support secure access to the router by multiple remote users at locations such as hotels or airports where a NAT device resides between the router and the remote users. In addition, NAT passthrough mode does not provide secure access for groups of remote users at corporate locations where a NAT device resides between the company's intranet and the public IP network.

To allow secure router access for multiple remote hosts located behind a NAT device, the router supports a set of IETF standards collectively known as NAT-Traversal (NAT-T). For a list of the individual standards that NAT-T comprises, see Securing L2TP and IP Tunnels with IPsec References.

This topic describes the following:

How NAT-T Works

By default, NAT-T is enabled on every virtual router configured on the system. With NAT-T enabled, IPsec traffic flows transparently through a NAT device, thereby allowing one or more remote hosts located behind the NAT device to use secure L2TP/IPsec tunnel connections to access the router.

After NAT-T is enabled on a specific virtual router, either by default or by using the ipsec option nat-t command, the router performs the following actions, in this order:

  1. The router monitors the exchange of private vendor ID (VID) payloads between the client PC and the E Series router during the IKE SA negotiation process to determine whether both sides of the negotiation support NAT-T.
  2. If both sides of the negotiation support NAT-T, the router detects whether a NAT device resides between the IPsec remote peers.
  3. If a NAT device is detected between the remote peers, the router negotiates the appropriate type of UDP encapsulation as part of the IKE SA and uses this encapsulation method to process the IPsec traffic.

The ipsec option nat-t command affects only those IKE SAs negotiated on the virtual router after the command is issued. The command has no effect on IKE SAs that were previously negotiated.

UDP Encapsulation

As part of the IKE SA negotiation process, the router automatically negotiates UDP encapsulation for L2TP/IPsec control and data frames.

When NAT-T is enabled, L2TP/IPsec control frames and data frames are wrapped in an additional NAT-T UDP header that enables data to flow transparently through the NAT device. The NAT device can translate the IP address of the source port associated with the NAT-T UDP header, whereas the IPsec edge service provider (ESP) header does not have a source port that the NAT device can translate.

Figure 26 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.

Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation

L2TP Control Frame with NAT-T UDP Encapsulation

Figure 27 shows an L2TP data frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.

Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation

L2TP Data Frame with NAT-T UDP Encapsulation

Additionally, IKE packets transmitted during the IKE SA negotiation process are encapsulated with a NAT-T UDP header, and include a non-ESP marker to distinguish them from standard ESP control and data frames. Figure 28 shows an IKE packet encapsulated with a NAT-T UDP header.

Figure 28: IKE Packet with NAT-T UDP Encapsulation

IKE Packet with NAT-T UDP Encapsulation

Only frames that use the ESP encryption and authentication protocol can be UDP encapsulated. Frames that use an authentication header (AH) cannot be UDP encapsulated; therefore, NAT-T is not supported for L2TP/IPsec connections that use an AH.

For more detailed information about encapsulation and other IPsec security parameters, see Configuring IPsec.

UDP Statistics

When NAT-T is enabled, UDP-encapsulated IPsec packets arriving and leaving the router look like standard UDP packets. However, the router does not forward these packets to and from the SRP module, as it does for other UDP packets. As a result, the UDP statistics maintained by the SRP module do not reflect UDP-encapsulated IPsec packets.

NAT Keepalive Messages

The router does not generate NAT keepalive messages. The following reasons explain why this behavior does not generally pose problems for remote users.

If the router receives NAT keepalive messages as part of the L2TP/IPsec traffic flow, it discards these messages at the ingress line module on which the messages were received.

Configuring and Monitoring NAT-T

For instructions on configuring and monitoring NAT-T, see the sections listed in Table 38.

Table 38: Configuration and Monitoring Tasks for NAT-T

Task

Command

See Topic

Enabling and disabling NAT-T on a virtual router

ipsec option nat-t

Enabling NAT-T on a Virtual Router

Displaying information about the current NAT-T setting on a virtual router

show ipsec option

Monitoring the Status of IPsec Options

Displaying information about the IKE SA negotiation when NAT-T is enabled

show ipsec ike-sa

Monitoring the IKE Phase 1 SAs

Related Documentation