NAT Traversal (NAT-T)

NAT-T (NAT Traversal) is a technology used to allow VPN (Virtual Private Network) traffic to traverse through devices that perform Network Address Translation (NAT). It is particularly useful in scenarios where VPN clients or servers are located behind NAT devices.

NAT modifies the IP headers of packets, which can cause issues with protocols that embed IP address information in their payloads, such as IPsec. Specifically:

  1. ESP (Encapsulating Security Payload), a key component of IPsec, encrypts the payload and has no port information, making it incompatible with NAT.
  2. NAT modifies the original packet's IP address and port, which can break the security checks in IPsec.

How NAT-T Works

  • Detection of NAT: During the initial VPN handshake (IKE Phase 1), NAT-T detects if a NAT device is present along the path by exchanging special messages.
  • UDP Encapsulation: If NAT is detected, NAT-T encapsulates the ESP packets inside UDP packets (typically using port 4500) to make them compatible with NAT. This ensures the NAT device can handle and forward the traffic properly.
  • Keep-alive Messages: NAT-T sends periodic keep-alive messages to maintain the NAT table entries, preventing them from being prematurely deleted.

Common Use Cases

  • Remote workers using IPsec VPNs in home or office environments with NAT-enabled routers.
  • Site-to-site VPNs where one or both endpoints are behind a NAT device.