Ipsec Nat-Traversal - Alcatel-Lucent OmniAccess 700 Cli Configuration Manual

Left running head:
Chapter name (automatic)
IP Security - Virtual Private Network
IP NAT-T
SEC RAVERSAL
NAT can occur before or after IPsec. If NAT occurs before the IPsec packet is
encrypted, NAT and IPsec can work together. If the packet is encrypted before
being sent to NAT, the address is changed by NAT. Since the packet is modified, it
fails the integrity check at the receiving end. The packet is discarded and the VPN
tunnel cannot be created. In such a scenario, NAT and IPsec cannot be applied
on the same interface.
NAT-Traversal (NAT-T) was created to enable IPsec VPNs to work with NAT. It
makes it easier to deploy NAT and IPsec together by resolving these issues. NAT-
T uses UDP (User Datagram Protocol) encapsulation. This enables NAT devices
to change IP or port addresses without modifying the IPsec packet.Additionally, to
prevent an IKE-aware NAT from modifying IKE packets, IPsec NAT-T peers
change the IKE UDP port of 500 to the UDP port 4500 during IKE negotiation.
There is no configuration required as NAT-T is detected automatically by VPN
devices. Both the VPN devices must be NAT-T capable.
Note: IPsec NAT-T is only defined for ESP (Encapsulating Security Payload) traffic.
T E /D NAT T
O NABLE ISABLE
Command (in CM)
crypto nat-traversal
{enable|disable}
E
XAMPLE
ALU(config)# crypto nat-traversal disable
800
Beta
RAVERSAL
Alcatel-Lucent
Description
This command is used to enable or disable
NAT traversal for IPsec on the OA-700.
By default, NAT Traversal is enabled.
Beta
CLI Configuration Guide