Firewall NAT traversal

NAT traversal on the USG
What is IPSec NAT traversal?
When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends.
Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway.
Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Other related questions:
Firewall NAT traversal
If you have more questions, you can seek help from following ways:
To iKnow To Live Chat To Google
Scroll to top