• view
• edit
• upload
• print
• history

NAT Traversal is a method for encapsulating IPsec ESP packets into UDP packets for passing through routers or firewalls employing Network Address Translation (NAT). See nat_traversal for an example openswan configuration.

The NAT-T standard has been published by the IETF in a number of RFCs:

• RFC 3947 : the official NAT-T standard
• RFC 3715 : set the requirements for the NAT-T RFC
• RFC 3948 : encapsulating IPsec ESP packets within UDP

Recent versions of Openswan support the NAT-T RFC and the draft versions of these RFCs. There were several drafts:

• draft-ietf-ipsec-nat-t-ike-01.txt
• draft-ietf-ipsec-udp-encaps-01.txt
• draft-ietf-ipsec-nat-t-ike-02.txt
• draft-ietf-ipsec-udp-encaps-02.txt
• draft-ietf-ipsec-nat-t-ike-03.txt
• draft-ietf-ipsec-udp-encaps-03.txt
• draft-ietf-ipsec-nat-t-ike-04.txt
• draft-ietf-ipsec-udp-encaps-04.txt
• draft-ietf-ipsec-nat-t-ike-08

The NAT-T support for KLIPS was done by Mathieu Lafon, from Arkoon Network Security. The NAT-T support for 26sec was done by Herbert Xu(?).

To enable it, you need NAT-T (technically, ESPinUDP) support in your kernel. Kernels 2.6.6 and higher include this. For 2.4 kernels, you need to patch your kernel - see the README included in Openswan on how to do this.

Known good interops:

• Openswan to Openswan
• Openswan to Cisco VPN 3000
• Openswan to FreeS/WAN with NAT-T from http://open-source.arkoon.net
• Openswan to StrongSwan? (provided you patch your kernel) from http://www.strongswan.org/
• Openswan to SSH Sentinel
• Openswan to SafeNet?
• Openswan to Microsoft Windows 2000/XP(updates required).

Unknown:

• Openswan to Cisco IOS or PIX
• Openswan to Nortel