NAT-Traversal in an IPSEC Gateway

by nrice on ‎12-15-2010 11:24 AM (20,909 Views)


NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers.

Note: Encapsulating IPSEC in UDP is likely to require an adjustment to the MSS on the firewall and on devices between the firewall and the internet because of the extra headers. Palo Alto Networks firewalls have the option to automatically adjust the MSS.

6-8-2012 1-13-06 PM.png

Enabling NAT traversal via the GUI

  • Selecting the "Enable NAT Traversal" checkbox on the IKE Gateway configuration screen.

Enabling NAT traversal via the CLI

  • # configure
  • # set network ike gateway <gw name> protocol-common nat-traversal enable no (yes)
  • # commit

owner: panagent

by supporton2it
on ‎01-06-2011 03:52 AM

We just fixed a problem with VPN tunnel that wouldn't pass traffic (both IKE and IPSec came up fine), and this turned out to be due to NatT *disabled* (firmware 3.1.5). We didn't touch this, so I assume that NatT is *disabled* by default. Please double check.

by nrice
on ‎01-07-2011 08:07 AM

You are correct and the tech note has bee updated accordingly.  Thanks for the input.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community