Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


disable-natt (Services IPsec VPN)


Hierarchy Level


Before Junos OS Release 17.4R1, Network Address Translation-Traversal (NAT-T) is not supported for the Junos VPN Site Secure suite of IPsec features on the MX Series routers. In Junos OS releases before 17.4R1, disable NAT-traversal (NAT-T) when a NAT device is present between two IPsec gateways to cause the Encapsulating Security Payload (ESP) protocol to be used for encapsulation.

In traditional network deployments, IPsec does not work when packets traverse across a device that is configured for network address translation (NAT) or network address port translation (NAPT) for translating packets, IPsec does not work when either one of the device or both the devices that terminate the IPsec tunnel is behind a NAT device. This behavior occurs because NAT checks the port information, which is not present for IPsec-protected traffic.

When NAT-T is configured, IPsec traffic is encapsulated using the UDP header and port information is provided for the NAT devices. By default, Junos OS detects whether either one of the IPsec tunnel is behind a NAT device and automatically switches to using NAT-T for the protected traffic. However, in certain cases, NAT-T support on MX Series routers running a Junos OS Release before 17.4R1 might not work as desired. Also, you might require NAT-traversal to be disabled if you are aware that the network uses IPsec-aware NAT.

To avoid problems with NAT-T on MX series routers, you can disable NAT-T. When you disable NAT-T, the NAT-T functionality is globally switched off. Also, even when a NAT device is present between the two IPsec gateways, only ESP encapsulation is used when you disable NAT-T.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 16.1.