Custom AppID for NAT-T traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom AppID for NAT-T traffic

L0 Member

I am looking for a way to identify NAT-T traffic on an IPSEC connection and define a custom app for it. To identify the IKE control plane traffic we would be looking for a 4 zero-valued bytes pattern at IP offset 28 on UDP 4500 traffic.


Screen Shot 2020-07-02 at 8.47.39 AM.png

It seems the 00 00 00 00 is the only consistent pattern in the traffic stream. Can RegEx be used to create a 7 byte pattern match?


The reason for the custom app is to limit NAT-T traffic to a VPN termination point that is being overrun with requests when there is client side misconfiguration.




L2 Linker

There is already an out of box App-ID for IPSEC NAT Traversal..."ipsec-esp-udp".  If the App-ID engine is already detecting this traffic as this App-ID, then you can not write a custom signature for it because there is no exposed decoder for this protocol.


If the firewall is detecting the traffic as "unknown-UDP" then there would be an opportunity to possibly use a custom App-ID.


While you can use regex in an App-ID signature, you still need a 7-byte anchor.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!