IPsec NAT Traversal (NAT-T) – Encapsulating ESP in UDP

#The NAT Problem: When Routers Break Encryption#link

We've already touched on this in the AH and ESP lessons. NAT (Network Address Translation) is the process where a router changes a private IP to a public one. The problem is that IPsec is designed to protect the integrity of the packet. If a router changes the IP header, the IPsec receiver thinks the packet was tampered with and drops it.

Why ESP and AH Fail with NAT

AH is the easiest case: it signs the IP header. NAT changes the header $ ightarrow$ signature fails $ ightarrow$ packet dropped. ESP is trickier. While ESP doesn't sign the outer header, many NAT routers only know how to forward TCP and UDP. ESP is its own protocol (Protocol 50). Most home routers don't know what to do with 'Protocol 50' and simply drop it.

During the IKE handshake, both peers send a 'NAT-D' (NAT Detection) payload. This is a hash of the IP and port. If the receiver's calculated hash doesn't match the one sent, it knows there is a NAT device in the middle.

The Solution: UDP Encapsulation (NAT-T)

The industry solved this with NAT-T (NAT Traversal). If a NAT device is detected, the IKE process switches the traffic from ESP (Protocol 50) to **UDP Port 4500**. The ESP packet is wrapped inside a standard UDP header. To the router, it looks like normal UDP traffic. To the receiver, it just strips the UDP header and finds the ESP packet inside.

Production Implementation

When configuring a VPN gateway, you must ensure that your firewall allows both UDP 500 (for the initial IKE setup) and UDP 4500 (for the NAT-T data flow). If you only open 500, users on home Wi-Fi will be able to authenticate, but no data will actually flow through the tunnel.

• ▪Open UDP 500 and 4500 on all edge firewalls
• ▪Enable NAT-T in the VPN configuration
• ▪Monitor for 'Fragmentation Required' ICMP messages
• ▪Prefer IKEv2 for better NAT handling