No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPsec NAT Traversal

Configuring IPsec NAT Traversal

When an NAT device exists between IPSec peers, the NAT traversal function must be enabled on both ends.


AH is mainly used to ensure the message integrity, including the IP packet headers. Because the IP packet headers are modified by NAT, the IP packet header verification by AH fails. Therefore, an IPsec tunnel protected by AH cannot traverse the NAT gateway. Packets encrypted by ESP do not encounter this problem because the integrity verification by ESP does not include IP packet headers (outer IP packet header in tunnel mode).

When an IPsec packet traverses the NAT gateway, a standard UDP packet header is added between the original IP header and the ESP header. When the ESP packet traverses the NAT gateway, the NAT translates the address and port number in the outer IP header and added UDP header. When the translated packet reaches the peer end of the IPsec tunnel, it is processed as a common packet. However, in a response packet, a UDP header also needs to be added between the IP header and ESP header. Figure 12-4 shows a typical application of the IPsec NAT traversal.
Figure 12-4 Typical application of the IPsec NAT traversal

When the NAT gateway is configured to allocate indexes dynamically, the same private network IP address can be mapped by NAT to different addresses and port numbers after the IPsec SA is disconnected and reconnected. When the NAT gateway is configured to allocate indexes statically, a private network IP address is mapped by NAT to only one IP address and port number. Configuring the NAT gateway to allocate indexes statically is recommended.


  1. Run system-view

    The system view is displayed.

  2. Run the ike peer peer-name command to create an IKE peer and enter the IKE peer view.
  3. Run the nat traversal command to enable NAT traversal.
  4. Run the remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ] command to configure the peer IP address or address segment.

    1. Configuration of device A:

      • If the HQ network does not need to initiate an access, you can configure the IPsec policy template for device A. The IKE peer defined in the IPsec policy template may not specify the peer IP address (that is, the remote-address command used to configure the translated IP address for device A and device B, is not configured).

      • If the HQ network needs to initiate an access, you must configure the IPsec policy in IKE mode for device A. The IKE peer defined in the IPsec policy must specify the peer IP address that is translated (running the remote-address command).

        If the local ID of device B is set to the IP address, you must run the remote-address authentication-address command to set the outbound interface address or address segment (IP address before NAT) of gateway B as the verification address (remote-address authentication-address for device A.

    2. Configuration of device B:

      Configure the IPsec policy in IKE mode for device B. Specify the peer IP address (remote-address on the IKE peer defined in the IPsec policy.

  5. Run the ike sa nat-keepalive-timer interval seconds command to configure the interval for sending NAT update packets by IKE.

    A NAT session has a certain survival period on the NAT gateway. After a tunnel is established, if no packet traverses the gateway for a long period of time, the NAT session is deleted. As a result, data cannot be transmitted over the tunnel. A NAT-keepalive message can be sent to the peer party before the NAT session expires to maintain the NAT session and address the preceding issue.

  6. Run commit

    The configuration is committed.

Follow-up Procedure

Run the display ike peer command to check the nat traversal field in the output and determine whether NAT traversal is enabled.

Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19665

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next