IPSec is unavailable when both IPSec and NAT are configured on an interface of the AR

1

If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device executes the NAT configuration first. Use either of the following methods:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
- Ensure that the ACL rule referenced by IPSec matches the NAT-translated IP address.

Note:
After the deny rule is defined, you are advised to run the reset session all or reset nat session all command to reestablish the flow table, ensuring that there are no incorrect NAT entries.
If services are transmitted unidirectionally, check whether the NAT policy is applied to the device. If so, perform operations according to the preceding method.

Other related questions:
Method used to establish an IPSec tunnel through NAT traversal
Huawei AR routers support an IPSec tunnel through NAT traversal. For details about the configuration, see "Example for Establishing an IPSec Tunnel that Traverses NAT Devices" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Which IKE negotiation mode does an AR support when NAT traversal is configured on the AR
When NAT traversal is configured on an IPSec-enabled AR router, the router supports aggressive and main modes. Note: The main mode is supported in V200R005C00 and later versions.

The ping operation is successful but services are unavailable on the AR configured with GRE over IPSec
IPSec encapsulates IP packets. As a result, the IP packet length becomes longer. If the IP packet length exceeds the MTU during transmission, the IP packets are fragmented and sent. The receiver needs to reassemble and parse the fragments. Fragmentation and reassembly consume CPU resources, and encryption and decryption of fragments also consume many CPU resources. When there are many fragments, CPU resources may be insufficient. In this case, the access is slow and packets are discarded. If small-sized ping packets can be transmitted but large-sized ping packets cannot be transmitted, check the MTU of the ISP. If the MTU of the ISP cannot be confirmed, perform the ping operation with different bytes to determine the intermediate MTU. Then change the MTU on the device.

Method used to configure IPSec on the AR where NAT and OSPF are deployed
Huawei AR routers support IPSec tunnels in networking where NAT and OSPF are deployed. For details, see "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Configuring IPSec NAT traversal on the USG
Run the nat traversal command on the IKE peers at the two sides of the gateway to implement IPSec NAT traversal.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top