IPsec NAT-T

IP security (IPsec) Network Address Translation Traversal (NAT-T) allows IPsec tunnel traffic through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network. To enable IPsec NAT-T connectivity, you must deploy and configure an IPsec NAT-T supported IPsec logical interface on each side of the IPsec tunnel.

The following terms are specific to the IPsec NAT-T feature:

The following diagram illustrates an example of an IPsec NAT-T configuration with both sides of the connection behind NAT:

Click to expand in new window
IPsec NAT-T with NAT router on both sides
  1. BEB-1 Aggregator side IPsec Responder device configuration example:

    logical-intf isis 2 dest-ip 192.0.2.2
    mtu 1300
    name "Tunnel-to-BEB3"
    auth-key <key value>
    ipsec responder-only
    ipsec
  2. BEB-3 Branch side IPsec Initiator device configuration example:
    logical-intf isis 2 dest-ip 192.0.1.3
    mtu 1300
    name "Tunnel-to-BEB1"
    auth-key <key value>
    ipsec remote-nat-ip 203.0.113.1
    ipsec

The following diagram illustrates an example of an IPsec NAT-T configuration with only 1 side of the connection behind NAT:

Click to expand in new window
IPsec NAT-T with NAT router on one side
  1. BEB-1 Aggregator side IPsec Responder device configuration example:
    logical-intf isis 2 dest-ip 192.0.2.2
    mtu 1300
    name "Tunnel-to-BEB3"
    auth-key <key value>
    ipsec responder-only
    ipsec
  2. BEB-3 Branch side IPsec Initiator device configuration example:
    logical-intf isis 2 dest-ip 192.0.1.2
    mtu 1300
    name "Tunnel-to-BEB1"
    auth-key <key value>
    ipsec

IPsec NAT-T Considerations

The following considerations apply to IPsec NAT-T: