Firewall NAT traversal

44

NAT traversal on the USG
What is IPSec NAT traversal?
When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends.
Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway.
Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Other related questions:
Port used in firewall NAT traversal
Ports that shall be enabled when IPSec NAT traversal is used on the USG: Destination UDP ports 500 and 4500. If no NAT device is deployed, use port 500. If any NAT device is deployed, use port 4500. Port 51 for IP packets using the AH protocol and port 50 for IP packets using the ESP protocols.

Configuring IPSec NAT traversal on the USG
Run the nat traversal command on the IKE peers at the two sides of the gateway to implement IPSec NAT traversal.

Method used to establish an IPSec tunnel through NAT traversal
Huawei AR routers support an IPSec tunnel through NAT traversal. For details about the configuration, see "Example for Establishing an IPSec Tunnel that Traverses NAT Devices" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Does L2TP support NAT traversal
L2TP supports NAT traversal. L2TP uses UDP port 1701, so the destination port must be port 1701 when NATis used.

Does the AR router support H323's NAT traversal?
The AR router does not support H323 NAT traversal

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top