Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »


https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

Old one:    https://www.juniper.net/documentation/en_US/junose15.1/topics/concept/nat-traversal-overview.html

IPsec VPN:  https://www.juniper.net/documentation/en_US/day-one-books/DO_IPsec_VPNs_2018.pdf


Payload encapsulation



Signalingin ISAKMP ( IKE phase1 )

https://www.rfc-editor.org/rfc/rfc3947





1st/2nd packet

in the 3rd and 4th packet


payload: NAT-Discovery


Compare the NAT-D ( IP@ + port)

with the packet received

If both ends calculate those hashes and get same result, they know there is no NAT between.  
If the hashes do not match, somebody has translated the address or port.


NAT-T for IKE peer: NAT-T is used when there is a network device between the two tunnel end-points that enforce NAT.

all the IPSEC tunnerl to traverse the NATing equipement

Challenge:  Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets

Solution:  ESP over UDP/4500

After detecting one or more NAT devices ( by the firwall)  along the datapath during Phase 1 exchanges,

>> NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. 



edit security ike gateway gateway-name 


[edit security ike gateway IKE-GW1]

root@srx3200# set no-nat-traversal


  • No labels