I've had a persistent problem establishing phase 1 of an IPsec tunnel I am initiating from an endpoint at my site to a vendor.
It is a bit of an odd configuration and I am not sure if NAT-T must be enabled in order for it to work.
-
The IP of my interface is 192.168.100.1.
-
The source IP of the IPsec packets is 192.168.100.5.
-
The source IP of the IPsec packets when traversing "the cloud" is a public address.
== twice IPsec packets are NATed
It is unclear (unfortunately blind to me), to see if the firewall is actually NATing the packets, or actually assigning the source address when the packets are being generated. [yes, I seriously can't see it]
Under which circumstances is NAT-T required by an IPsec tunnel in order for it to establish?
Is it required in the situation described above?
I'm hoping to test, but the vendor is resistant.
Thanks,
Matt
Best Answer
NAT-T would be required in this situation, as you are using NAT. If NAT-T is not used the IPSec packets are modified in transit during the NAT process, which invalidates them. While NAT-T is used, the IPSec packets are encapsulated in UDP packets, preserving the original packets.