Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    NAT-Traversal Overview

    Using NAT passthrough mode is an adequate solution when a single remote user located behind a NAT device needs secure access to an E Series router. However, NAT passthrough mode does not support secure access to the router by multiple remote users at locations such as hotels or airports where a NAT device resides between the router and the remote users. In addition, NAT passthrough mode does not provide secure access for groups of remote users at corporate locations where a NAT device resides between the company's intranet and the public IP network.

    To allow secure router access for multiple remote hosts located behind a NAT device, the router supports a set of IETF standards collectively known as NAT-Traversal (NAT-T). For a list of the individual standards that NAT-T comprises, see Securing L2TP and IP Tunnels with IPsec References.

    This topic describes the following:

    How NAT-T Works

    By default, NAT-T is enabled on every virtual router configured on the system. With NAT-T enabled, IPsec traffic flows transparently through a NAT device, thereby allowing one or more remote hosts located behind the NAT device to use secure L2TP/IPsec tunnel connections to access the router.

    After NAT-T is enabled on a specific virtual router, either by default or by using the ipsec option nat-t command, the router performs the following actions, in this order:

    1. The router monitors the exchange of private vendor ID (VID) payloads between the client PC and the E Series router during the IKE SA negotiation process to determine whether both sides of the negotiation support NAT-T.
    2. If both sides of the negotiation support NAT-T, the router detects whether a NAT device resides between the IPsec remote peers.
    3. If a NAT device is detected between the remote peers, the router negotiates the appropriate type of UDP encapsulation as part of the IKE SA and uses this encapsulation method to process the IPsec traffic.

    The ipsec option nat-t command affects only those IKE SAs negotiated on the virtual router after the command is issued. The command has no effect on IKE SAs that were previously negotiated.

    UDP Encapsulation

    As part of the IKE SA negotiation process, the router automatically negotiates UDP encapsulation for L2TP/IPsec control and data frames.

    When NAT-T is enabled, L2TP/IPsec control frames and data frames are wrapped in an additional NAT-T UDP header that enables data to flow transparently through the NAT device. The NAT device can translate the IP address of the source port associated with the NAT-T UDP header, whereas the IPsec edge service provider (ESP) header does not have a source port that the NAT device can translate.

    Figure 1 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.

    Figure 1: L2TP Control Frame with NAT-T UDP Encapsulation

    L2TP Control Frame with NAT-T UDP Encapsulation

    Figure 2 shows an L2TP data frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPsec.

    Figure 2: L2TP Data Frame with NAT-T UDP Encapsulation

    L2TP Data Frame with NAT-T UDP Encapsulation

    Additionally, IKE packets transmitted during the IKE SA negotiation process are encapsulated with a NAT-T UDP header, and include a non-ESP marker to distinguish them from standard ESP control and data frames. Figure 3 shows an IKE packet encapsulated with a NAT-T UDP header.

    Figure 3: IKE Packet with NAT-T UDP Encapsulation

    IKE Packet with NAT-T UDP Encapsulation

    Only frames that use the ESP encryption and authentication protocol can be UDP encapsulated. Frames that use an authentication header (AH) cannot be UDP encapsulated; therefore, NAT-T is not supported for L2TP/IPsec connections that use an AH.

    For more detailed information about encapsulation and other IPsec security parameters, see Unresolved xref.

    UDP Statistics

    When NAT-T is enabled, UDP-encapsulated IPsec packets arriving and leaving the router look like standard UDP packets. However, the router does not forward these packets to and from the SRP module, as it does for other UDP packets. As a result, the UDP statistics maintained by the SRP module do not reflect UDP-encapsulated IPsec packets.

    NAT Keepalive Messages

    The router does not generate NAT keepalive messages. The following reasons explain why this behavior does not generally pose problems for remote users.

    • The primary application for using NAT-T is enabling secure L2TP/IPsec access to an E Series router for remote hosts located behind a NAT device. The L2TP protocol has its own keepalive mechanism that is sufficient for keeping NAT entries alive.
    • In most NAT configurations, an ERX router does not operate behind the NAT device, thereby making the generation of keepalive messages unnecessary.

    If the router receives NAT keepalive messages as part of the L2TP/IPsec traffic flow, it discards these messages at the ingress line module on which the messages were received.

    Configuring and Monitoring NAT-T

    For instructions on configuring and monitoring NAT-T, see the sections listed in Table 1.

    Table 1: Configuration and Monitoring Tasks for NAT-T

    Task

    Command

    See Topic

    Enabling and disabling NAT-T on a virtual router

    ipsec option nat-t

    Enabling NAT-T on a Virtual Router

    Displaying information about the current NAT-T setting on a virtual router

    show ipsec option

    Monitoring the Status of IPsec Options

    Displaying information about the IKE SA negotiation when NAT-T is enabled

    show ipsec ike-sa

    Monitoring the IKE Phase 1 SAs

    Published: 2014-08-12