NAT-T

NAT-T (NAT traversal in the IKE) is a method of enabling IPsec-protected IP datagrams to pass through network address translation (NAT). RFC 3947 defines the negotiation during the Internet key exchange (IKE) phase and RFC 3948 defines the UDP encapsulation.

An IP packet is modified while passing through a network address translator device in a manner that is incompatible with Internet Protocol Security (IPsec). NAT-T protects the original IPsec encoded packet by encapsulating it with another layer of UDP and IP headers.

Most major networking vendors support NAT-T for IKEv1 in their devices. In Microsoft Windows XP with Service Pack 2 the feature can be enabled ^[1] but is disabled in default settings when the VPN server itself is behind a network address translator because of security issues. Enabling it needs a simple registry key change.^[2]

References

• "RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements". Network Working Group of the IETF. March 2004. http://tools.ietf.org/html/rfc3715. 

1. ^ "MSKB818043: L2TP/IPsec NAT-T update for Windows XP and Windows 2000". Microsoft Knowledgebase. http://support.microsoft.com/kb/818043/en-us. 
2. ^ "MSKB885348: IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators". Microsoft Knowledgebase. http://support.microsoft.com/kb/885348/en-us.