JUNOSe 11.0.x IP Services Configuration Guide
Figure 26 on page 294 shows an L2TP control frame encapsulated with a NAT-T UDP
header. The shaded area shows the portion of the frame that is encrypted by IPSec.
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation
Figure 27 on page 294 shows an L2TP data frame encapsulated with a NAT-T UDP
header. The shaded area shows the portion of the frame that is encrypted by IPSec.
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation
Additionally, IKE packets transmitted during the IKE SA negotiation process are
encapsulated with a NAT-T UDP header, and include a non-ESP marker to distinguish
them from standard ESP control and data frames. Figure 28 on page 294 shows an
IKE packet encapsulated with a NAT-T UDP header.
Figure 28: IKE Packet with NAT-T UDP Encapsulation
Only frames that use the ESP encryption and authentication protocol can be
UDP-encapsulated. Frames that use authentication header (AH) cannot be
UDP-encapsulated; therefore, NAT-T is not supported for L2TP/IPSec connections that
use AH.
For more detailed information about encapsulation and other IPSec security
parameters, see "Configuring IPSec" on page 125.
UDP Statistics
When NAT-T is enabled, UDP-encapsulated IPSec packets arriving and leaving the
router look like standard UDP packets. However, the router does not forward these
294
L2TP/IPSec Tunnels