NAT-T

IPSec uses an encapsulating protocal called Encapsulating Security Payload(ESP) to take the original IP information and securely encasulate it via encryption. As ESP is protocol without port the binding of the unique port can't be assigned when packet tries to pass through a device which is NATting.

ESP Packet

Transport Mode





Tunnel Mode

Solution is NAT-T

The detection of NAT-Traversal between the two IKE peers occurs in IKE Phase 1

In the first two messages of Phase 1, the vendor id payload for this specification

MUST be sent if supported for the NAT-Traversal

The NAT-D payload not only detects the presence of NAT between the two IKE peers,

but also detects where the NAT is

To detect NAT between the two hosts, first need to detect whether the IP address

or the port changes along the path.  This is done by sending the hashes of the 

IP addresses and ports of both IKE peers from each end to the other.  If both ends

calculated hashes get same result, they know there is no NAT between. If the hashes

do not match this means that we have to do NAT-Traversal to get IPsec packets through.

The initiator must quickly change to port 4500 to avoide the IPsec NAT related issues

The initiator MUST set both UDP source and destination ports to 4500 for all subsequent

packets sent MUST be sent on port 4500.  In addition, the IKE data MUST be prepended

with a non-ESP marker.

If the support of the NAT-Traversal is enabled, the port in the ID payload in Main Mode/Aggressive

Mode MUST be set to 0