12-23-2020 03:49 AM
Hi community,
I have ftd on my site with private address and then internet router that does nat.(Remote peer`s device is HPE HSR6602) Question is "do both peers needs to enable nat-t on ipsec configuration? or enabling on one side is enough? If so, does it matter which side is enabled nat-t?"
Solved! Go to Solution.
12-23-2020 07:33 AM
Both devices need to have NAT-T enabled. If one end has it disabled, the additional UDP-encapsulation can not be negotiated.
12-23-2020 07:33 AM
Both devices need to have NAT-T enabled. If one end has it disabled, the additional UDP-encapsulation can not be negotiated.
12-25-2020 08:27 PM
NAT-PT is supported by HPE
do you face issue ?
12-27-2020 01:21 AM
İssue was solved. I understood that on HPE device nat-t was automatically enabled. Problem was on phase2 with Deffie Hellman group, changing DH5 to DH2 solved issue.
12-27-2020 01:30 AM
12-25-2020 10:36 PM
Both Side NAT T should be enabled then only vpn traffic will start transferring
09-03-2021 12:19 PM - edited 09-03-2021 12:21 PM
hi,
today I‘ve faced a strange behavior which I‘ve not seen before and which I don‘t understand
we‘d setup an IKEv1 IPsec tunnel between an ASA and a barracuda firewall; the tunnel went up but no traffic was able to pass through… of course we checked multiple times the phase1 and phase2 parameters on both sides and everything looked correct and fine!
after some time we’ve been told that the barracuda firewall was sitting behind a nat device
09-03-2021 12:51 PM
This is what is to be expected without NAT-T. All the Tunnel-negotiation is done with UDP and will work, the tunnels get established. But the IPsec-SAs will be "only" IP/ESP-encapsulated and can not pass through the PAT instance.
12-27-2020 01:45 AM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide