IP security (IPsec) Network Address Translation Traversal (NAT-T) allows IPsec tunnel traffic through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network. To enable IPsec NAT-T connectivity, you must deploy and configure an IPsec NAT-T supported IPsec logical interface on each side of the IPsec tunnel.
The following terms are specific to the IPsec NAT-T feature:
Note
IPsec Initiator is the default mode of the logical interface IPsec tunnel.Note
Only configure the logical interface of the IPsec Initiator device with the Remote NAT IP address of the responder.The following diagram illustrates an example of an IPsec NAT-T configuration with both sides of the connection behind NAT:
BEB-1 Aggregator side IPsec Responder device configuration example:
logical-intf isis 2 dest-ip 192.0.2.2 mtu 1300 name "Tunnel-to-BEB3" auth-key <key value> ipsec responder-only ipsec
logical-intf isis 2 dest-ip 192.0.1.3 mtu 1300 name "Tunnel-to-BEB1" auth-key <key value> ipsec remote-nat-ip 203.0.113.1 ipsec
The following diagram illustrates an example of an IPsec NAT-T configuration with only 1 side of the connection behind NAT:
logical-intf isis 2 dest-ip 192.0.2.2 mtu 1300 name "Tunnel-to-BEB3" auth-key <key value> ipsec responder-only ipsec
logical-intf isis 2 dest-ip 192.0.1.2 mtu 1300 name "Tunnel-to-BEB1" auth-key <key value> ipsec
The following considerations apply to IPsec NAT-T:
You must configure one side of the IPsec NAT-T tunnel as an IPsec responder. If IPsec is configured on the IPsec Initiator device and subsequently configured on the IPsec Responder device, IPsec must be restarted on the Initiator device. If IPsec is not restarted, it can take approximately 3 minutes for the adjacency to open.
You must configure the aggregator device as the IPsec Responder device, and configure the branch device as the IPsec Initiator device.
Among all the IPsec responders, the system uses the lowest configured maximum transmission unit (MTU) value of any responder IPsec tunnel as the MTU value for all IPsec responder-only tunnels. The system uses the lowest configured IPsec tunnel MTU value regardless of manually configured MTU tunnel values, and higher MTU values might be visible in the IPsec information for the logical interface. For non-responder IPsec tunnels or VXLAN tunnels, the configured and visible MTU value for the tunnel is used for fragmentation and reassembly.
If both the IPsec Initiator device and the IPsec Responder device are behind NAT, you must configure the IPsec Initiator device with the public IP address of the NAT router connected to the IPsec Responder device.
You must add route table entries on the IPsec Responder device with the public IP address and private IP address of the remote NAT for the IPsec Initiator device. A configured route table is required for IPsec NAT-T Fabric Extend (FE) connectivity.
You must add a route table entry on the IPsec Initiator device with the public IPsec Remote NAT IP address for the IPsec Responder device. A configured route table is required for IPsec NAT-T Fabric Extend (FE) connectivity.