Another difference between IKEv1 and IKEv2 is the incorporation of NAT traversal in the latter. NAT traversal is necessary when a router along the route performs Network Address Translation. This is when a router captures the packets sent and modifies the destination address on the packets.
IPsec | pfSense Documentation IKE¶ IKE stands for Internet Key Exchange, and comes in two different varieties: IKEv1 and IKEv2. … VPN ON THE CISCO ASA: NAT Traversal - Intense School Jan 17, 2014
Jan 17, 2014
Before R80.10, Check Point "Maintrain" Security Gateways did not support initiating IKE propositions over NAT-T. A Security Gateway will accept and support proposals for industry UDP encapsulation behind port 4500, but will never initiate a proposal, unlike 600, 1100, 1200R and VPN-1 Edge Appliances that do support initiating IKE propositions
The first describes what is needed in IKE Phase 1 for NAT-Traversal support. This includes detecting whether the other end supports NAT-Traversal, and detecting whether there is one or more NATs between the peers. The second part describes how to negotiate the use of UDP encapsulated IPsec packets in IKE's Quick Mode.
SRX Series,vSRX. Understanding NAT-T, Example: Configuring a Route-Based VPN with Only the Responder Behind a NAT Device, Example: Configuring a Policy-Based VPN with Both an Initiator and a Responder Behind a NAT Device, Example: Configuring NAT-T with Dynamic Endpoint VPN ISAKMP mode config is an IKE extension that enable the VPN gateway to provide the network configuration for the remote user's machine: Internal IP address, DNS address, domain name, and so on. NAT Traversal. The remote user might be hidden behind a Network Address Translator (NAT), which will not work when using IPsec encrypted streams. Nat Traversal Hello, but not able to figure out when exactly will NAT-T be used IKE will construct a packet with port UDP 4500 when it detects NAT between the The first problem is that NAT changes the IP address of the internal computer to that of the NAT device. The Internet Key Exchange (IKE) protocol used by IPSec embeds the sending computer's IP By default nat-traversal (NAT-T) is enabled for IKE gateways. The default NAT-T keepalive is 5 seconds. Therefore unless explicitly showing that NAT-T was disabled in the configuration, then the IKE phase 1 will attempt to use NAT-T if a NAT device is detected in the path between two peers. However, that meant port 500 couldn't be used for such packets because all IKE messages (even the first ones) would have to be marked that way, which wouldn't have been backward compatible to IKE/IPsec implementations that didn't support NAT-Traversal. Instead, a separate port is used for UDP-encapsulated ESP and IKE with non-ESP marker.