How can I disable/enable NAT traversal in VPN settings?

12/20/2019 40 29020

DESCRIPTION:

NOTE: This article describes about NAT traversal taking tunnel mode and ESP protocol as an example,  NAT traversal also supported in AH protocol and in transport mode.

What is NAT-T or NAT traversal in IPSEC VPN?.

Traditionally, IPSec does not work when traversing across a device doing NAT/PAT(Network Address Translation and Port Address Translation), meaning if either one of the devices or both the devices terminating IPSEC is behind a NAT device, IPSEC will not work. To overcome this problem, NAT-T or NAT Traversal was developed.

NAT-T is an IKE phase 1 algorithm that is used when trying to establish a IPSEC VPN between two gateway devices where there is a NAT device in front of one of the gateway devices or both the gateway devices.

What is the Purpose of using NAT-T feature?.
 
In IPSEC, all critical information along with UDP/TCP header is encapsulated within ESP or AH header, ESP and AH itself is an protocol like TCP or UDP and carries no port information.If a NAT device is in between two IPSEC gateways and doing many to one NAT, it needs to do PAT(Port address translation) as well to maintain a consistent and proper session table.   If a packet is encapsulated by ESP or AH header, PAT/NAT device will not have port information to translate source port and result is IPSEC traffic will not pass through the PAT/NAT device.When we use NAT-T Feature, IPSEC traffic is encapsulated using UDP header with source and destination port number as 4500 and provides port information for the NAT device to do Port Address Translation.   How does NAT-T or NAT traversal works:   In IKE main mode, first two messages detect whether NAT-T feature is supported on the IPSEC gateways and three and four messages detects whether there is NAT device between IPSEC gateways.   If IPSEC gateways support NAT-T feature, both devices send NAT-D(NAT Discovery) payload, payload is the hash of source and destination IP and Source and destination port, receiving device will recalculate the hash, if hash matches there is no NAT device in between, if hash doesn't match there is a NAT device in between.   If the IPSEC gateways detects an existence of NAT device, from message five and six of Phase 1, all IPSEC packets are encapsulated using UDP header with source and destination as port 4500(including quick mode messages and user data).

Packet Format of ESP in tunnel Mode without NAT-T
           

Packet Format of ESP in tunnel Mode with NAT-T: 
 

NOTE: To perform NAT traversal process both the IPSEC gateway devices should support NAT-T even though a particular device is not behind NAT device. 

RESOLUTION:

1. Navigate to Manage | Connectivity | VPN  | Advance settings | Enable/Disable NAT traversal.
2. By default in all SonicOS, NAT traversal will be enabled.
   
   
   

   NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.

    

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

1. Navigate to VPN settings|Advance settings| Enable/Disable NAT traversal.
2.  By default in all SonicOS, NAT traversal will be enabled. 
   
   
   

   NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.