0 Replies Latest reply: Apr 26, 2012 2:21 PM by MIKIS RSS

    NAT-T clarification




      I am trying to understand how NAT-T works during the IPsec VPN negotiation. I went through a bunch of resources including the RFC 3947. IKE Phase 1 (NAT support in messages 1,2 and NAT detection in messages 3,4 is very clear). What I don't understand is the meaning of NAT-T negotiation in Quick Mode.

      Since IKE phase 1 messages 5 and 6 plus all phase 2 messages have already changed from UDP 500 to UDP 4500 what is going to be negotiated in Quick Mode related to NAT-T? The RFC 3947 says: "Quick Mode -   After Phase 1, both ends know whether there is a NAT present between them.  The final decision of using NAT-Traversal is left to Quick Mode". But as we saw, IKE phase 1 already started using NAT-T and UDP 4500 so what is this 'final decision'? If it will keep using it for the data transfer? Could be any case that the final decision is not to use NAT-T although NAT-T was detected and UDP 4500 is already used in IKE messages?