What is NAT traversal in FortiGate?

Nat Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a device that has NAT enabled.

As well as IPsec providing confidentiality, it also provides authenticity and integrity. Now the problem is when a NAT device does its NAT translations, the embedded address of the source computer within the IP payload does not match the source address of the IKE packet as it is replaced by the address of the NAT device. This means breaking the authenticity which will cause the packet by the remote peer to be dropped. So when the NAT device alters the packet, its integrity and authentication will fail.

Also in some cases, depending on the level of encryption, the payload and in particular the headers are encrypted when using IPsec ESP mode. The NAT device cannot change these encrypted headers to its own addresses, nor do anything with them.

The NAT device in the middle breaks the authenticity, integrity and in some cases cannot do anything at all with the packet. It is clear NAT and IPsec are incompatible with each other, and to resolve this issue, NAT Traversal was developed. NAT Traversal adds a UDP header which encapsulates the IPsec ESP header. As this new UDP wrapper is NOT encrypted and is treated just like a normal UDP packet, the NAT device can make the required changes and process the message, which would now circumvent the problems explained above. Additionally, enabling NAT-Traversal on the gateway devices resolves the problem with the authenticity and integrity checks, as they are now aware of these changes.

To explain things a bit further, during phase 1 negotiation of an IPsec VPN connection, if NAT Traversal is used one or both VPN peer devices identify to each other that they are using NAT Traversal, and it is then when the IKE negotiations switch to using UDP port 4500 to support it. After this the data is sent and handled using IPsec over UDP, which is effectively NAT Traversal. The receiving peer first unwraps the IPsec packet from its UDP wrapper (the NAT Traversal part that occurred at the sending peer end) and then processes the traffic as a standard IPsec packet.

IPsec NAT Traversal Ports

Three ports in particular must be open on the device that is performing NAT for the VPN to work correctly. These ports are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP).

The ultimate fix to NAT-Traversal is to use a public IP address on the firewall’s external interface. This is also the recommended method, and will eliminate the use and need of NAT-Traversal.

Further Reading

Wikipedia's guide to NAT-T

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

As shown in Figure1, the Fortinet firewall at the branch has no public IP addresses, uses HUAWEI firewall_B as the NAT device for address translation, obtains a public IP address, and establishes an IPSec tunnel with HUAWEI firewall_A at the headquarters. HUAWEI firewall_B provides only the source address translation function, implementing access only in the direction from the branch to the headquarters. Therefore, only the branch can proactively establish an IPSec tunnel with the headquarters, but not the other way around.

Figure 2-10 Establishing an IPSec tunnel in a NAT traversal scenario

1. Configure HUAWEI firewall_A:
   1. Set IP addresses for interfaces and assign the interfaces to security zones.
   2. Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through HUAWEI firewall_A.
   3. Configure the default route from HUAWEI firewall_A to the Internet.
   4. Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring an IKE peer, and configuring IPSec NAT traversal.
   5. Apply the IPSec policy to an interface.
2. Configure HUAWEI firewall_B:
   1. Set IP addresses for interfaces and assign the interfaces to security zones.
   2. Configure an Untrust-Trust interzone security policy to allow the post-NAT packets to pass through HUAWEI firewall_B.
   3. Configure Source NAT.
   4. Configure routes to the HQ and branch.
3. Configure the Fortinet firewall:
   1. Set IP addresses for interfaces.
   2. Configure IKE SA, IPSec SA, and IPSec NAT traversal.
   3. Assign the tunnel interface to the Untrust zone.
   4. Configure a security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the Fortinet firewall.
   5. Configure a route to divert traffic to the tunnel interface.
   6. Configure the default route to the Internet.

• In this example, the HUAWEI firewall_B has the Source NAT function configured so that the branch can initiate negotiation for establishing an IPSec tunnel with the HQ, but not the other way around. If the HUAWEI firewall_B has the NAT Server function configured, both the HQ and branch can initiate negotiation for establishing an IPSec tunnel.
• In this example, the post-NAT address is known. If this address is unknown, you must configure an IPSec policy in template mode on the HUAWEI firewall_A.

1. Configure HUAWEI firewall_A.
   1. Configure interfaces and assign them to security zones.
   2. Configure security policies.
   3. Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.[HUAWEI_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
   4. Create an ACL to define the data flow to be protected.

      Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over an IPSec tunnel.

      [HUAWEI_A] acl 3000 [HUAWEI_A-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI_A-acl-adv-3000] quit
      • Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
      • Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.

   5. Configure an IKE SA.
   6. Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.[HUAWEI_A] ipsec proposal tran1 [HUAWEI_A-ipsec-proposal-tran1] transform esp [HUAWEI_A-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI_A-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI_A-ipsec-proposal-tran1] quit
   7. Configure an IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.[HUAWEI_A] ipsec policy map1 1 isakmp [HUAWEI_A-ipsec-policy-isakmp-map1-1] ike-peer fortigate [HUAWEI_A-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI_A-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI_A-ipsec-policy-isakmp-map1-1] quit
   8. Apply the IPSec policy to the interface.[HUAWEI_A] interface GigabitEthernet 1/0/3 [HUAWEI_A-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI_A-GigabitEthernet1/0/3] quit

2. Configure the Fortinet firewall.
   1. Configure an interface.
   2. Configure an IKE SA, specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group, and enable the NAT traversal function.Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set nattraversal enable Fortigate (firewall) # end
      • The Fortinet firewall does not provide the command for setting the IKE version and uses IKEv1 by default.
      • Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPSec policy to the interface on the HUAWEI firewall.
      • Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.

   3. Configure an IPSec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 192.168.10.0 255.255.255.0 Fortigate (firewall) # set src-subnet 192.168.0.0 255.255.255.0 Fortigate (firewall) # end
      • The Fortinet firewall does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
      • Run the set phase1name command to specify the IKE SA referenced by the IPSec SA.
      • Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPSec SA.
      • Run the dst-subnet and src-subnet commands to define the data flow to be protected, which is equal to configuring an ACL on the HUAWEI firewall.

   4. Assign the tunnel interface to the Untrust zone.Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end
      • After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
      • On the Fortinet firewall, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.

   5. Configure security policies.
   6. Configures static routes.

3. Configure HUAWEI firewall_B, which serves as the NAT device.
   1. Configure interfaces and assign them to security zones.
   2. Configure Untrust-Trust interzone security policies.[HUAWEI_B] security-policy [HUAWEI_B-policy-security] rule name 1 [HUAWEI_B-policy-security-rule-1] source-zone untrust [HUAWEI_B-policy-security-rule-1] destination-zone trust [HUAWEI_B-policy-security-rule-1] source-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-1] destination-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-1] action permit [HUAWEI_B-policy-security-rule-1] quit [HUAWEI_B-policy-security] rule name 2 [HUAWEI_B-policy-security-rule-2] source-zone trust [HUAWEI_B-policy-security-rule-2] destination-zone untrust [HUAWEI_B-policy-security-rule-2] source-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-2] destination-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-2] action permit [HUAWEI_B-policy-security-rule-2] quit
   3. Configure source NAT.[HUAWEI_B] nat-policy [HUAWEI_B-policy-nat] rule name policy_nat1 [HUAWEI_B-policy-nat-rule-policy_nat1] source-zone trust [HUAWEI_B-policy-nat-rule-policy_nat1] destination-zone untrust [HUAWEI_B-policy-nat-rule-policy_nat1] source-address 10.10.10.0 24 [HUAWEI_B-policy-nat-rule-policy_nat1] action nat easy-ip [HUAWEI_B-policy-nat-rule-policy_nat1] quit [HUAWEI_B-policy-nat] quit
   4. Configure routes to the headquarters and branch.[HUAWEI_B] ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 [HUAWEI_B] ip route-static 192.168.0.0 255.255.255.0 10.10.10.2

1. Ping PC1 at the headquarters from PC2 at the branch and verify whether the branch can proactively initiate an IPSec tunnel with the headquarters.
2. On HUAWEI firewall_A at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
   [HUAWEI_A] display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 172 2.2.2.2:2049 RD|A v1:2 public 171 2.2.2.2:2049 RD|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE

3. On HUAWEI firewall USG_A at the headquarters, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
   [HUAWEI_A] display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 172 rule number: 15 encapsulation mode: tunnel holding time: 0d 0h 14m 35s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 3439073287 (0xccfc1807) vpn: public said: 236 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/925 max received sequence-number: 5 udp encapsulation used for nat traversal: Y [outbound ESP SAs] spi: 3708494123 (0xdd0b212b) vpn: public said: 237 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/925 max sent sequence-number: 4 udp encapsulation used for nat traversal: Y

4. Log in to the web UI of the branch Fortinet firewall to check the IPSec tunnel establishment.
   • If the tunnel status is displayed as a green upward arrow, the IPSec tunnel is successfully established.
   • You can also run the get ipsec tunnel list command on the branch Fortinet firewall to check the IPSec tunnel establishment. If the status is up, the IPSec tunnel is successfully established.

HUAWEI Firewall_A Configuration Files

HUAWEI Firewall_B Configuration Files

This Document Applies to these Products