IPSec vs IPSec Over NAT-T

Answered Question
Apr 5th, 2010

I would appreciate an explanation between these two terms.


I am doing some remote work while I do some traveling. Normally, when I work from home my VPN connection uses the IPSecOverNatT Protocol when I view the current VPN connections through ASDM. I am currently on a University campus and my connection is now just the plain IPSec protocol. What causes this change and what is the change?

Correct Answer by Jennifer Halim about 6 years 10 months ago

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kent Heide Mon, 04/05/2010 - 15:22

The difference is that when you have NAT-T enabled it uses port 4500 for udp encapsulation instead of the usual isakmp port that is udp 500 which conflicts with NAT. This is in some cases controlled by the VPN hub/server.

rcmcdonald91 Mon, 04/05/2010 - 15:54

NAT-T is enabled. There are other clients that are connected who are using the NAT-T protocol, but mine is IPSec. So my connection being reverted to the plain IPSec is being caused by the university campus connection I'm using?

Correct Answer
Jennifer Halim Mon, 04/05/2010 - 17:02

It will only use NAT-T (UDP/4500) if the path has PAT configured. Because the plain IPSEC (ESP) is a protocol, not a TCP or UDP with port number, it can't pass through a PAT device, therefore during the IPSEC negotiation, if it detects there is PAT in the path, it will use NAT-T. Otherwise, it will just use the plain ESP packet.

Hope that answers your question.

Actions

This Discussion