A USG9000 supports two NAT
traversal functions, which apply to different scenarios:
The USG9000 serves as an IPSec gateway, and a NAT device is deployed on the tunnel.
In this scenario, run the nat traversal command in the IKE peer view to enable NAT traversal. By default, NAT traversal is enabled on the USG9000.
You are advised to run the ike sa nat-keepalive-timer interval seconds command to understand the NAT device working status.
If the USG9000 initiates negotiation, you need to configure both the peer address and authentication address (through the authentication-address command) in the IKE peer view. If the USG9000 only needs to respond to negotiation requests, the authentication address is not required.
The USG9000 serves as a NAT device on the tunnel, not an IPSec gateway.
If the IPSec gateway that negotiates an IPSec tunnel does not support NAT traversal, encrypted packets cannot pass through the USG9000. To resolve this problem, run the firewall esp nat enable command in the system view to enable ESP NAT traversal. Then, ESP packets can pass through the USG9000.