NAT Traversal, if enabled, automatically detects if network address translation (NAT) is being performed between the two VPN tunnel endpoints, since this "in-between" NAT can interfere with IPsec/ESP traffic also, some routers that may exist between the VPN peers might be programmed to block IPsec pass-through, or have been programmed to block IP 50 (ESP).
If NAT is indeed being performed somewhere between those two endpoints, and both endpoints are capable of doing NAT Traversal, the IPsec traffic will be encapsulated within UDP packets. Encapsulating the IPsec traffic in UDP packets allows the IPsec traffic to be NAT'ed in between the endpoints. SonicWall's implementation of NAT Traversal is based upon RFC 3947.
How it works
NAT Traversal is achieved by sending the NAT Traversal Vendor ID field in the first two messages in Main Mode and Aggressive Mode. A MD5 Hash (draft-ietf-IPsec-Nat-t-Ike-00) is sent as Vendor ID hash. Upon the receipt of this Vendor ID, both sides can decide whether the other end supports NAT Traversal or not. A new payload called "NAT-Discovery" payload is sent in the message 2 and 3 in Main Mode, and message 2 and message 3 in the Aggressive Mode. The HASH function negotiated in the IKE is used in the HASH calculation: it can be MD5 or SHA. After receiving the NATD payload the IPsec Tunnel endpoints can determine whether a NAT security appliance is in between by computing the HASH values locally and comparing with the HASH values received. If a NAT security appliance is detected in between the endpoints, in the phase 2 Quick mode instead of ESP Attribute, UDP_TUNNEL_ESP -| 61443 or UDP_TRANSPORT_ESP -| 61444 is sent depending on Tunnel/Transport mode. If a NAT security appliance is not detected then there is no change in the Quick Mode.
Once the IPSEC SA is negotiated in the Quick Mode, the ESP packets should be encapsulated in the UDP header. The UDP encapsulation should use the same source and destination port as used in the IKE negotiations however, in draft 3, the UDP port is floated to 4500. The UDP encapsulation should be done only when a NAT security appliance is present in between the endpoints. The Phase 1 initiator will send the keep alives. The Keep Alive is just to keep up the NAPT mapping with the NAT security appliance in between.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
To find NAT Traversal setting Login to SonicWall Device.
Click Manage in the top navigation menu.
Click VPN | Advanced Settings.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
You can find NAT Traversal setting under VPN | Advanced.