An explanation of NAT Traversal and passing IPSec through firewalls

Article #: Product Castle
1578 All All


An explanation of NAT Traversal and passing IPSec through Firewalls


Passing IPSec traffic through any NAT device such as a router (or a separate firewall in front of the VPN gateway / client) can be difficult.

NAT rewrites IP addresses and manages the connections going through the NAT device by mapping outgoing connections to a specific port. The IPSec protocols used for data transfer do not have ports, and this causes problems with traversing NAT firewalls.


Smoothwall firewall supports IPSec NAT Traversal (NAT-T) mode. NAT-T uses UDP Protocol instead of Protocol 50 (ESP) or protocol 51 (AH) for IPSec VPN traffic — UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel can support NAT-T. The Smoothwall VPN does, and we have also tested NAT-T with Shrew Soft VPN Client, NCP VPN Client, The GreenBow VPN client, IP Securitas and others.

To operate an IPSec VPN client on a user computer in the local protected network behind a Smoothwall through to another vendors, VPN gateway requires that the IPSec client must operate in NAT-T mode rather than use protocol 50 (ESP) or 51 (AH) for the reason stated above.


Last updated: Author: Contributions by:
07 September 2016   Tanja