No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

IPSec Communication Failed Due to Incorrect NAT Configuration

Publication Date:  2015-07-03  |   Views:  1487  |   Downloads:  0  |   Document ID:  EKB1000081634


Issue Description

Network Topology:
Firewall A---------Internet--------------Firewall B


IPSec negotiation was successful, but services were interrupted.

Handling Process

1. The IPSec information was displayed, and the result indicated that the IPSec tunnel was successfully established.

[USG-A]dis ike sa                                                                      
19:09:19  2013/01/07                                                                   
current ike sa number: 2                                                               
  connection-id  peer                    vpn   flag          phase   doi               
    0x49         222.73.x1.y1            0     RD          v1:2    IPSEC               
    0x48         222.73.x1.y1            0     RD          v1:1    IPSEC    

The peer address was

2. The IPSec negotiation session was examined. The negotiation packets were IKE packets on UDP port 500.

[USG-A]dis firewall  session table  verbose  destination-port 500    
19:11:51  2013/01/07                                                          
Current Total Sessions : 1                                                    
  udp  VPN:public --> public                                                   
  Zone: untrust--> local  TTL: 00:02:00  Left: 00:01:50                        
  Interface: InLoopBack0  NextHop:  MAC: 00-00-00-00-00-00          
  <--packets:2 bytes:576   -->packets:6 bytes:920                               

The session information indicated that NAT was not enabled on the intermediate device for user 222.73.x1.y1.

3. The ESP session (IPSec service packets) was examined.

[USG-A]dis firewall  session table verbose  destination global  X.X.118.10  
esp  VPN:public --> public                                                     
  Zone: untrust--> local  TTL: 00:10:00  Left: 00:09:47                        
  Interface: InLoopBack0  NextHop:  MAC: 00-00-00-00-00-00              
  <--packets:0 bytes:0   -->packets:5461 bytes:806880                          

The source address of the ESP packets was changed to 122.225.10.t. When the IPSec was disabled, the session disappeared; when the IPSec negotiation succeeded, the session appeared again. This fact indicated that the packets were from 222.73.x1.y1.
4. The previous analysis indicated that the intermediate device changed the source address of ESP packets to 122.225.10.t. The NAT configuration caused the communication failure because 222.73.x1.y1 is a public addresses and does not need address translation.
5. To allow ESP packets the traverse NAT, NAT must be configured for negotiation packets. Otherwise, the two ends of the IPSec tunnel cannot detect whether a NAT device exists in between.
The negotiation mechanism is described in the following figure. Only negotiation packets can detect whether an intermediate NAT device exists.

Root Cause

An intermediate device translated the source address of IPSec service data, but not that of negotiation packets, causing the communication failure. 


1. (Recommended) Both sides use public IP addresses. Therefore, NAT is unnecessary. Disable the NAT on the intermediate device to resolve the problem.

2. Configure the intermediate NAT device to translate the source IP address of IKE negotiation packets, too.