IPSec NAT-T pass-throughs

IPSec NAT-T (also called IPSec over UDP) is rapidly gaining popularity as the method of transferring traffic amongst IPSec servers and clients, due to its ability to get through firewalls and NAT-s. NAT-T

Raw IPSec traffic has difficulty getting through firewalls and NAT-s. IPSec NAT-T however hides the IPSec packets inside common UDP packets to allow easier passage. Due to this ability more and more “IPSec” servers either actually run IPSec NAT-T or allows both types of traffic to connect.

IPSec NAT-T traffic going through Internet Gate has to be specified explicitly in the VPN Pass-through field of the security profile page.

You are recommended to specify all three fields for each row. (Ensures stability and reliability.) Though you can enter as many rows as you want, try to keep the number of rows low.

IPSec NAT-T has no limitation of what servers the clients might be accessing. Multiple local clients may access the same remote server.

If remote server IP is not specified (empty field), the specified local client can access any remote server.

If local client IP is not specified (empty field), the specified remote server can be accessed by any of the local clients.

If neither local client IP nor remote server IP is specified, any local client can access any remote server.

IPSec NAT-T and PPTP entries don't affect each other (even though they are entered into the same pass-through-list), thus you can ignore all PPTP entries when considering what IPSec NAT-T entry combinations you can enter.

IPSec NAT-T and IPSec entries on the other hand do affect each other, especially when incomplete (one or two empty IP fields). Avoid such combinations as side effects or non-working connections might occur.

Even though it is possible to enter multiple incomplete rows (with missing IP addresses), such configurations might easily lead to side effects and non-working connections and is therefore not recommended.

It doesn't matter in what order you enter the rows.


If you only have IPSec NAT-T clients , entering one row IPSec NAT-T, with both the Local client IP and Remote server IP fields empty, is enough in most situations.

If you have (raw) IPSec or PPTP clients too , enter complete lines (with both Local client IP and Remote server IP specified).


If you have entered illegal combination of rows the first non-conformant row is marked with XXX. Please note that the reason for the error could be another row before or after that row that makes usage of the marked row impossible. Read the information on this page carefully to solve the problem.

Most IPSec clients must be manually configured to use IPSec NAT-T (some programs call it IPSec over UDP).

Many IPSec servers allow both IPSec and IPSec NAT-T protocols to be used – but not all. If you have trouble establishing an IPSec NAT-T connection to a server, ask server's technical staff if they allow IPSec NAT-T traffic.

web_gui/ipsec_nat-t_pass-through.txt · Last modified: 2010/11/15 10:23 by mats
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0