About NAT Traversal

VPN users may be behind a device that performs NAT on packets that are destined for the other end of the VPN tunnel. If NAT is performed on packets before they are encrypted, as in a site-to-site VPN between two gateway devices, then the packets pass over the VPN connection without difficulty.

However, in a client-to-site VPN, client software encrypts the packets before the NAT device alters them. As a result of this alteration, packets will fail the IPsec integrity check. Some client software provides a solution for this problem; however, other software applications (such as those using L2TP Layer 2 Tunneling Protocol ) do not.

How NAT-T Works

NAT Traversal uses UDP encapsulation to address this incompatibility between NAT and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header. The NAT device changes the address in this header without tampering with the IPsec packet.

Peers agree to use NAT-T during IKE negotiations by exchanging a predetermined, known value that indicates that they support NAT-T. When the peers exchange the Diffie-Hellman values, they also send NAT Discovery (NAT-D) packets that include hashes of their source and destination IP addresses and ports. Because one peer’s source IP address should be the other’s destination address and vice versa, the hashes should match. If they do not, the peers know that somewhere between the two peers, an address was translated by NAT.

If the peers discover that NAT has been used, they encapsulate packets in the UDP/IP header. The peer behind the NAT device should also use a one-byte UDP packet that ensures that it keeps the same NAT assignment for the duration of the VPN tunnel.

The NAT-T feature on the Threat Management Services (TMS) zl Module automatically detects one or more NAT devices between IPsec hosts and negotiates the UDP encapsulation of the IPsec packets through NAT.

The TMS zl Module implements NAT-T under any of the following circumstances:

  • Client device is behind a NAT device.

  • TMS zl Module is behind a NAT device.

  • Both are behind a NAT device.

  • Multiple clients are behind separate NAT devices but have the same IP address.

The TMS zl Module implements NAT-T in this way:

  • IKE packets are accepted from any port and responses are sent to the port from which the packet came.

  • NAT-T negotiation is performed in accordance with RFC 4306.

  • UDP encapsulation of ESP Encapsulating Security Protocol packets and NAT keepalives are supported in accordance with RFC 3948.

Configure the Firewall for NAT-T

The figure below shows which firewall access policies should be configured to permit NAT-T. In this example, you have configured the L2TP over IPsec policy to create a VPN tunnel between the devices in ZONE1 (VLAN 30) and L2TP over IPsec clients that dial in over the Internet.

In this example, the L2TP client is behind a NAT device and the TMS zl Module is not. (This example would also apply if both the module and the client were behind NAT devices.)

To permit UDP-encapsulated traffic through the firewall, you must configure firewall access policies to permit UDP 4500 traffic between SELF and the zone where the VPN gateway resides—in this case, EXTERNAL. You can use the preconfigured service object ipsec-nat-t-udp to specify UDP 4500.