Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3015
Views
15
Helpful
8
Replies

Does both peers should enable Nat-T ?

Go to solution
aehtibarov
Level 1
Level 1

‎12-23-2020 03:49 AM

Hi community,

I have ftd on my site with private address and then internet router that does nat.(Remote peer`s device is HPE HSR6602) Question is "do both peers needs to enable nat-t on ipsec configuration? or enabling on one side is enough? If so, does it matter which side is enabled nat-t?"

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-23-2020 07:33 AM

Both devices need to have NAT-T enabled. If one end has it disabled, the additional UDP-encapsulation can not be negotiated.

View solution in original post

8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎12-23-2020 07:33 AM

Both devices need to have NAT-T enabled. If one end has it disabled, the additional UDP-encapsulation can not be negotiated.

Go to solution
MHM Cisco World
VIP
VIP

‎12-25-2020 08:27 PM

NAT-PT is supported by HPE

do you face issue ?

0 Helpful

Go to solution
aehtibarov
Level 1
Level 1
In response to MHM Cisco World

‎12-27-2020 01:21 AM

İssue was solved. I understood that on HPE device nat-t was automatically enabled. Problem was on phase2 with Deffie Hellman group, changing DH5 to DH2 solved issue.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to aehtibarov

‎12-27-2020 01:30 AM

Great that the problem is solved. But be aware that DH2 is not what is considered secure any more. The industry moves to DH14 and greater.
0 Helpful

Go to solution
harmesh88
Level 1
Level 1

‎12-25-2020 10:36 PM

Both Side NAT T should be enabled then only vpn traffic will start transferring

Go to solution
whistleblower14
Level 1
Level 1
In response to harmesh88

‎09-03-2021 12:19 PM - edited ‎09-03-2021 12:21 PM

hi,

 

today I‘ve faced a strange behavior which I‘ve not seen before and which I don‘t understand

 

we‘d setup an IKEv1 IPsec tunnel between an ASA and a barracuda firewall; the tunnel went up but no traffic was able to pass through… of course we checked multiple times the phase1 and phase2 parameters on both sides and everything looked correct and fine!

 

after some time we’ve been told that the barracuda firewall was sitting behind a nat device and after we enabled nat-t everything worked as expected! the question for me is, I‘ve always thought that if a problem with nat-t would exist than no phase1 could be exchanged beforehand and the tunnel would not came up anyway?!?! but why has this be ok in our setup and of course phase2 looked good but no traffic could pass?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to whistleblower14

‎09-03-2021 12:51 PM

This is what is to be expected without NAT-T. All the Tunnel-negotiation is done with UDP and will work, the tunnels get established. But the IPsec-SAs will be "only" IP/ESP-encapsulated and can not pass through the PAT instance.

0 Helpful

Go to solution
rafail.sharifov
Level 1
Level 1

‎12-27-2020 01:45 AM

Thanks

Customers Also Viewed These Support Documents