Feature |
Product |
Release introduced |
---|---|---|
IPsec NAT-T |
5320 Series |
Not Supported |
5420 Series |
Not Supported |
|
5520 Series |
Not Supported |
|
5720 Series |
Fabric Engine 8.7 Supported on 5720-24MXW and 5720-48MXW Supported using Fabric IPsec Gateway |
|
7520 Series |
Fabric Engine 8.10 Supported using Fabric IPsec Gateway |
|
7720 Series |
Fabric Engine 8.10 Supported using Fabric IPsec Gateway |
|
VSP 4900 Series |
VOSS 8.3 Supported on VSP4900-12MXU-12XE and VSP4900-24XE Supported using Fabric IPsec Gateway |
|
VSP 7400 Series |
VOSS 8.2 Supported using Fabric IPsec Gateway |
IP security (IPsec) Network Address Translation Traversal (NAT-T) allows IPsec tunnel traffic through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network.
The following considerations apply to IPsec NAT-T:
You must configure one side of the IPsec NAT-T tunnel as an IPsec responder. If IPsec is configured on the IPsec Initiator device and subsequently configured on the IPsec Responder device, IPsec must be restarted on the Initiator device. If IPsec is not restarted, it can take approximately 3 minutes for the adjacency to open.
You must configure the aggregator device as the IPsec Responder device, and configure the branch device as the IPsec Initiator device.
Among all the IPsec responders, the system uses the lowest configured maximum transmission unit (MTU) value of any responder IPsec tunnel as the MTU value for all IPsec responder-only tunnels. The system uses the lowest configured IPsec tunnel MTU value regardless of manually configured MTU tunnel values. For non-responder IPsec tunnels or VXLAN tunnels, the configured and visible MTU value for the tunnel is used for fragmentation and reassembly.
If both the IPsec Initiator device and the IPsec Responder device are behind NAT, you must configure the IPsec Initiator device with the public IP address of the NAT router connected to the IPsec Responder device.
You must add route table entries on the IPsec Responder device with the public IP address and private IP address of the remote NAT for the IPsec Initiator device. A configured route table is required for IPsec NAT-T Fabric Extend (FE) connectivity.
You must add a route table entry on the IPsec Initiator device with the public IPsec Remote NAT IP address for the IPsec Responder device. A configured route table is required for IPsec NAT-T Fabric Extend (FE) connectivity.