NAT-Traversal in an IPSEC Gateway
131873
Created On 09/25/18 18:01 PM - Last Modified 06/12/23 08:30 AM
Resolution
Details
NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers.
Note: Encapsulating IPSEC in UDP is likely to require an adjustment to the MSS on the firewall and on devices between the firewall and the internet because of the extra headers. Palo Alto Networks firewalls have the option to automatically adjust the MSS.
Enabling NAT traversal via the GUI
- Selecting the "Enable NAT Traversal" checkbox on the IKE Gateway configuration screen.
Enabling NAT traversal via the CLI
- # configure
- # set network ike gateway <gw name> protocol-common nat-traversal enable no (yes)
- # commit
owner: panagent