Configuring IPSec NAT traversal on the USG

16

Run the nat traversal command on the IKE peers at the two sides of the gateway to implement IPSec NAT traversal.

Other related questions:
Method used to establish an IPSec tunnel through NAT traversal
Huawei AR routers support an IPSec tunnel through NAT traversal. For details about the configuration, see "Example for Establishing an IPSec Tunnel that Traverses NAT Devices" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Firewall NAT traversal
NAT traversal on the USG What is IPSec NAT traversal? When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends. Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway. Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Port number used by the USG for NAT traversal
The USG firewalls use open port numbers for IPSec NAT traversal. UDP packets with destination port set to 500 or 4500. If no NAT device exists, the port number is set to 500; if the NAT device exists, the port number is set to 4500. IP packets using the AH (port number set to 51) or ESP (port number set to 50).

Port used in IPSec NAT traversal scenarios on the USG2000
The initial port used in IKE negotiation is 500. After the NAT traversal capability detection and NAT gateway detection are complete, the UDP port for encapsulating ISAKMP messages is changed to 4500. The subsequent negotiation and data transmission use this port.

Which port is used in IPSec NAT traversal scenarios
The initial port used in IKE negotiation is 500. After the NAT traversal capability detection and NAT gateway detection are complete, the UDP port for encapsulating ISAKMP messages is changed to 4500. The subsequent negotiation and data transmission use this port.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top