Before strongSwan 5.0.0, NAT discovery and traversal for IKEv1 had to be enabled by setting nat_traversal=yes in the config setup section of ipsec.conf. Otherwise, strongSwan 4.x's IKEv1 pluto daemon would not accept incoming IKE packets with a UDP source port different from 500.
IPsec Data Plane Configuration Guide, Cisco IOS Release Jan 25, 2018 Difference Between IKEv1 and IKEv2 | Difference Between Another difference between IKEv1 and IKEv2 is the incorporation of NAT traversal in the latter. NAT traversal is necessary when a router along the route performs Network Address Translation. This is when a router captures the packets sent and modifies the destination address on the packets. RFC 3947 - Negotiation of NAT-Traversal in the IKE The first describes what is needed in IKE Phase 1 for NAT-Traversal support. This includes detecting whether the other end supports NAT-Traversal, and detecting whether there is one or more NATs between the peers. The second part describes how to negotiate the use of UDP encapsulated IPsec packets in IKE's Quick Mode.
The Firewall Options settings are used to define what features will be enabled to prevent problems from occurring when a Firewall or NAT router exists between the Client and a Gateway. NAT Traversal Mode. Set this value to Enable or Force if you want the VPN Client IPSEC Daemon to use the IKE and ESP NAT Traversal protocol extensions.
NAT Traversal (NAT-T) - NAT Traversal (NAT-T) - strongSwan Before strongSwan 5.0.0, NAT discovery and traversal for IKEv1 had to be enabled by setting nat_traversal=yes in the config setup section of ipsec.conf. Otherwise, strongSwan 4.x's IKEv1 pluto daemon would not accept incoming IKE packets with a UDP source port different from 500.
To circumvent this problem, NAT-T or NAT Traversal was developed. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN between two gateways devices where a NAT device exists in front of one of the devices, in this case a Juniper Firewall device. By enabling this option, IPSec traffic can pass through a NAT device.
Port 4500 (tcp/udp) :: SpeedGuide 500/udp - Internet Key Exchange (IKE) 4500/udp - NAT traversal See also: port 1701 (L2TP) port 1723 (PPTP) Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later), Vodafone Sure Signal also use this port. Abacast peer-to-peer audio and … Solved: IPSEC with NAT-T - J-Net Community set security ike gateway vpn-natt-static-B-to-A no-nat-traversal set security ike gateway vpn-natt-static-B-to-A external-interface fe-0/0/2.12 set security ipsec traceoptions flag all set security ipsec policy vpn-natt-static-ipsecpol proposal-set standard IP Security Protocol (ipsec)