1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE...
  6. Configuration manual

Udp Statistics; Nat Keepalive Messages; Figure 27: L2Tp Data Frame With Nat-T Udp Encapsulation - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Software for e series broadband services routers ip services configuration guide
Hide thumbs
Table of Contents

Advertisement

JunosE 11.3.x IP Services Configuration Guide
282
Figure 27 on page 282 shows an L2TP data frame encapsulated with a NAT-T UDP header.
The shaded area shows the portion of the frame that is encrypted by IPSec.

Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation

Additionally, IKE packets transmitted during the IKE SA negotiation process are
encapsulated with a NAT-T UDP header, and include a non-ESP marker to distinguish
them from standard ESP control and data frames. Figure 28 on page 282 shows an IKE
packet encapsulated with a NAT-T UDP header.
Figure 28: IKE Packet with NAT-T UDP Encapsulation
Only frames that use the ESP encryption and authentication protocol can be
UDP-encapsulated. Frames that use authentication header (AH) cannot be
UDP-encapsulated; therefore, NAT-T is not supported for L2TP/IPSec connections that
use AH.
For more detailed information about encapsulation and other IPSec security parameters,
see "Configuring IPSec" on page 119.

UDP Statistics

When NAT-T is enabled, UDP-encapsulated IPSec packets arriving and leaving the router
look like standard UDP packets. However, the router does not forward these packets to
and from the SRP module, as it does for other UDP packets. As a result, the UDP statistics
maintained by the SRP module do not reflect UDP-encapsulated IPSec packets.

NAT Keepalive Messages

The router does not generate NAT keepalive messages. The following reasons explain
why this behavior does not generally pose problems for remote users.
The primary application for using NAT-T is enabling secure L2TP/IPSec access to an
E Series router for remote hosts located behind a NAT device. The L2TP protocol has
its own keepalive mechanism that is sufficient for keeping NAT entries alive.
In most NAT configurations, an ERX router does not operate behind the NAT device,
thereby making the generation of keepalive messages unnecessary.
If the router receives NAT keepalive messages as part of the L2TP/IPSec traffic flow, it
discards these messages at the ingress line module on which the messages were received.
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01

Related Content for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01

This manual is also suitable for:

Junose 11.3

Table of Contents