Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

Old one:    https://www.juniper.net/documentation/en_US/junose15.1/topics/concept/nat-traversal-overview.html

IPsec VPN:  https://www.juniper.net/documentation/en_US/day-one-books/DO_IPsec_VPNs_2018.pdf


Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947

1- Detecting Support of NAT-Traversal
2- Detecting the Presence of NAT
3- Changing to New Ports


1st/2nd (3rd) packet

in the 4th packet

( could be the 3rd ??? )

payload: NAT-Discovery



NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

root@srx3200# set no-nat-traversal


  • No labels