NAT-Traversal Overview
Using NAT passthrough mode is an adequate solution when a single remote user located behind a NAT device needs secure access to an E Series router. However, NAT passthrough mode does not support secure access to the router by multiple remote users at locations such as hotels or airports where a NAT device resides between the router and the remote users. In addition, NAT passthrough mode does not provide secure access for groups of remote users at corporate locations where a NAT device resides between the company's intranet and the public IP network.
To allow secure router access for multiple remote hosts located behind a NAT device, the router supports a set of IETF standards collectively known as NAT-Traversal (NAT-T). For a list of the individual standards that NAT-T comprises, see Securing L2TP and IP Tunnels with IPsec References.
This topic describes the following:
- How NAT-T Works
- UDP Encapsulation
- UDP Statistics
- NAT Keepalive Messages
- Configuring and Monitoring NAT-T
How NAT-T Works
By default, NAT-T is enabled on every virtual router configured on the system. With NAT-T enabled, IPsec traffic flows transparently through a NAT device, thereby allowing one or more remote hosts located behind the NAT device to use secure L2TP/IPsec tunnel connections to access the router.
After NAT-T is enabled on a specific virtual router, either by default or by using the ipsec option nat-t command, the router performs the following actions, in this order:
- The router monitors the exchange of private vendor ID (VID) payloads between the client PC and the E Series router during the IKE SA negotiation process to determine whether both sides of the negotiation support NAT-T.
- If both sides of the negotiation support NAT-T, the router detects whether a NAT device resides between the IPsec remote peers.
- If a NAT device is detected between the remote peers, the router negotiates the appropriate type of UDP encapsulation as part of the IKE SA and uses this encapsulation method to process the IPsec traffic.
The ipsec option nat-t command affects only those IKE SAs negotiated on the virtual router after the command is issued. The command has no effect on IKE SAs that were previously negotiated.
UDP Encapsulation
As part of the IKE SA negotiation process, the router automatically negotiates UDP encapsulation for L2TP/IPsec control and data frames.
When NAT-T is enabled, L2TP/IPsec control frames and data frames are wrapped in an additional NAT-T UDP header that enables data to flow transparently through the NAT device. The NAT device can translate the IP address of the source port associated with the NAT-T UDP header, whereas the IPsec edge service provider (ESP) header does not have a source port that the NAT device can translate.
Figure 26 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation

Figure 27 shows an L2TP data frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation

Additionally, IKE packets transmitted during the IKE SA negotiation process are encapsulated with a NAT-T UDP header, and include a non-ESP marker to distinguish them from standard ESP control and data frames. Figure 28 shows an IKE packet encapsulated with a NAT-T UDP header.
Figure 28: IKE Packet with NAT-T UDP Encapsulation

Only frames that use the ESP encryption and authentication protocol can be UDP encapsulated. Frames that use an authentication header (AH) cannot be UDP encapsulated; therefore, NAT-T is not supported for L2TP/IPsec connections that use an AH.
For more detailed information about encapsulation and other IPsec security parameters, see Configuring IPsec.
UDP Statistics
When NAT-T is enabled, UDP-encapsulated IPsec packets arriving and leaving the router look like standard UDP packets. However, the router does not forward these packets to and from the SRP module, as it does for other UDP packets. As a result, the UDP statistics maintained by the SRP module do not reflect UDP-encapsulated IPsec packets.
NAT Keepalive Messages
The router does not generate NAT keepalive messages. The following reasons explain why this behavior does not generally pose problems for remote users.
- The primary application for using NAT-T is enabling secure L2TP/IPsec access to an E Series router for remote hosts located behind a NAT device. The L2TP protocol has its own keepalive mechanism that is sufficient for keeping NAT entries alive.
- In most NAT configurations, an ERX router does not operate behind the NAT device, thereby making the generation of keepalive messages unnecessary.
If the router receives NAT keepalive messages as part of the L2TP/IPsec traffic flow, it discards these messages at the ingress line module on which the messages were received.
Configuring and Monitoring NAT-T
For instructions on configuring and monitoring NAT-T, see the sections listed in Table 38.
Table 38: Configuration and Monitoring Tasks for NAT-T
Task | Command | See Topic |
---|---|---|
Enabling and disabling NAT-T on a virtual router | ipsec option nat-t | |
Displaying information about the current NAT-T setting on a virtual router | show ipsec option | |
Displaying information about the IKE SA negotiation when NAT-T is enabled | show ipsec ike-sa |