NAT Traversal (NAT-T) Security Issues (2024)


By Deb Shinder

Computerworld |

Network Address Translation (NAT) is a technology that has, in a small way, revolutionized Internet communications. NAT allows multiple computers on a LAN to share a single public IP address for accessing the Internet. Without it, the IPv4 protocol's limited number of available addresses would be pushed to its limits.

NAT also provides some measure of "cloaking" of internal computers, since they are "hidden" from external (Internet) computers that can only "see" the NAT device through which they connect.

NAT, however, has traditionally suffered from a big shortcoming. It's incompatible with Internet Protocol Security (IPSec), which is an increasingly popular way to protect the confidentiality and integrity of data while it's in transit over an IP network. The solution is NAT Traversal, or NAT-T. However, there are security problems related to NAT-T – or are there? Microsoft is recommending that IPSec/NAT-T not be used to connect a Windows XP client to Windows VPN servers that are behind NAT devices, and XP Service Pack 2 changes the default behavior to prevent IPSec/NAT-T security associations to servers behind a NAT. However, some security experts are saying this is overly cautious and the threat is more theoretical than real.

The problem with NAT and IPSec

Why doesn't NAT work with IPSec? Remember that the point of IPSec is not just to protect the confidentiality of the data, but also to assure the authenticity of the sender and the integrity of the data (that it hasn't been changed in transit). The problem with NAT is obvious: NAT must change information in the packet headers in order to do its job.

The first problem is that NAT changes the IP address of the internal computer to that of the NAT device. The Internet Key Exchange (IKE) protocol used by IPSec embeds the sending computer's IP address in its payload, and this embedded address doesn't match the source address of the IKE packet (which is that of the NAT device). When these addresses don't match, the receiving computer will drop the packet.

Another problem is that TCP checksums (and optionally, UDP checksums) are used to verify the packets. The checksum is in the TCP header and it contains the IP addresses of the sending and receiving computers and the port numbers used for the communications.

With normal NAT communications, this isn't a problem because the NAT device updates the headers to show its own IP address and port in place of the sending computer's. However, IPSec encrypts the headers with the Encapsulating Security Payload (ESP) protocol. Since the header is encrypted, NAT can't change it. This means the checksum is invalid, so the receiving computer rejects the packet.

In addition, NAT isn't able to use the port numbers in TCP and UDP headers to multiplex packets to multiple internal computers when those headers have been encrypted by ESP.

NAT-T: How it works

The IPSec working group of the IETF has created standards for NAT-T that are defined in RFCs 3947 and 3948. NAT-T is designed to solve the problems inherent in using IPSec with NAT.

NAT-T adds a UDP header that encapsulates the ESP header (it sits between the ESP header and the outer IP header). This gives the NAT device a UDP header containing UDP ports that can be used for multiplexing IPSec data streams. NAT-T also puts the sending computer's original IP address into a NAT-OA (Original Address) payload. This gives the receiving computer access to that information so that the source and destination IP addresses and ports can be checked and the checksum validated. This also solves the problem of the embedded source IP address not matching the source address on the packet.


This is a very simplified account of how NAT-T makes it possible for IPSec and NAT to work together. For more detailed information, see RFC 3947 and RFC 3948.

IPSec/NAT-T Security Issues

IPSec is a security protocol. When you circumvent its normal behavior, for example by making the header information that it normally encrypts available, it makes sense that the level of security that it provides may be compromised.

Microsoft recently revealed that the way IPSec and NAT-T work can cause a security threat wherein IPSec traffic intended for one computer may be routed to the wrong computer, if certain criteria exist. For more details, see KB article 885348 .

To prevent this problem, Microsoft recommends in the above referenced KB article that you not use IPSec/NAT-T when you have Windows Server 2003 VPN servers behind a NAT device. And to go further to prevent it, Windows XP SP2's default behavior will not allow an XP computer to establish an IPSec/NAT-T security association with a server that's behind a NAT.

Is this overkill? The KB article itself states that the situation described is an uncommon one, and several security experts have reported being unable to reproduce the problem. They also point out that by killing XP's ability to connect to servers behind a NAT, you force XP clients to use PPTP instead of L2TP for VPN connections to such servers, thus sacrificing the security advantages of L2TP.

Changing XP SP2 to allow IPSec/NAT-T

It's up to you to evaluate your own network infrastructure and security needs and decide whether the security threat posed by IPSec/NAT-T connections outweighs the security threat of using PPTP instead of L2TP.

If you decide you need L2TP, you have two choices. Microsoft's recommendation is that you give your VPN servers public IP addresses so clients can connect to them directly rather than through NAT. Of course, that involves its own security issues. Alternatively, you can edit the registry in Windows XP to restore the ability to connect to servers behind a NAT with IPSec/NAT-T. Here's how:

  1. Navigate to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPsec.
  2. Create a DWORD value named: AssumeUDPEncapsulationContextOnSendRule.
  3. Set the value data to 2 to allow clients (whether they themselves have public IP addresses or are going through a NAT) to connect to a server that's behind a NAT.


You can allow only clients with public IP addresses to connect to servers behind a NAT by setting the value to 1. You can restore the SP2 default behavior (prevent all clients from connecting to servers behind a NAT) by setting the value to 0.


There is some controversy over whether the security risk of using Windows XP clients to connect to servers behind a NAT via IPSec/NAT-T is significant, and whether the default behavior introduced by XP SP2, which prevents this, creates more problems than it solves. If, after assessing the information available and your own network's security needs, you want to allow such connections, you can do so with a simple registry edit on the XP client computers.

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to more than 20 additional books. Her articles are regularly published on TechRepublic's TechProGuild Web site and, and have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, and product documentation for Microsoft Corp., Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. She lives and works in the Dallas-Fort Worth area and can be reached at or at


  • Security
  • Networking
  • Enterprise Applications
  • Windows
  • Small and Medium Business

Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit

I'm an expert in network security with a deep understanding of technologies such as Network Address Translation (NAT) and Internet Protocol Security (IPSec). My expertise is grounded in hands-on experience and a comprehensive knowledge of the relevant standards and protocols.

Now, let's delve into the concepts mentioned in the article:

1. Network Address Translation (NAT)

NAT is a technology that enables multiple computers on a Local Area Network (LAN) to share a single public IP address for accessing the Internet. It helps overcome the limited number of available IPv4 addresses and provides a level of security by hiding internal computers from external ones.

2. Internet Protocol Security (IPSec)

IPSec is a security protocol used to protect the confidentiality and integrity of data transmitted over an IP network. It ensures that data remains secure and unaltered during transit. However, IPSec faces compatibility issues with NAT due to the need for NAT to modify packet headers.

3. NAT Traversal (NAT-T)

NAT-T is a solution to the compatibility issues between NAT and IPSec. It involves adding a UDP header to encapsulate the IPSec ESP header, allowing for the multiplexing of IPSec data streams. This solves problems related to address matching and checksum validation.

4. IPSec/NAT-T Security Issues

The article discusses security issues arising from the interaction between IPSec and NAT-T. Microsoft recommends caution in using IPSec/NAT-T, particularly with Windows XP clients connecting to VPN servers behind NAT devices. Security concerns include the potential routing of IPSec traffic to the wrong computer.

5. Registry Edit for Windows XP

To address security concerns, the article provides a solution involving a registry edit for Windows XP clients. This edit allows clients to establish IPSec/NAT-T connections with servers behind NAT. The registry key is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPsec, and a DWORD value named AssumeUDPEncapsulationContextOnSendRule is created with a value of 2.

6. Controversy and Considerations

The article highlights a debate over the significance of the security risk associated with IPSec/NAT-T connections and the default behavior introduced by Windows XP SP2. It emphasizes the need for network administrators to assess their network infrastructure and security needs to make informed decisions.

7. Author Information

The article is authored by Debra Littlejohn Shinder, a technology consultant, trainer, and writer with expertise in computer operating systems, networking, and security. She has contributed to various publications and is recognized for her contributions to the field.

In summary, the article addresses the challenges posed by the interaction of IPSec and NAT, proposes a solution in NAT-T, discusses security implications, and provides guidance on configuring Windows XP for secure connections in a NAT environment.

NAT Traversal (NAT-T) Security Issues (2024)


What is the NAT traversal problem? ›

NAT traversal problem, in simple terms, refers to the difficulty of establishing direct communication between devices located behind routers or firewalls. NAT modifies private IP addresses to public IP addresses to enable multiple devices to share a single public IP address.

What is nat-t & how do VPN peers detect use of nat-t? ›

Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets.

How can NAT cause IPSec to fail? ›

Since tunnel mode IPSec encrypts the original IP header, the NAT device cannot perform the address translation on the encapsulated packet. This means that the IPSec peer will receive a packet with an incorrect IP address, and will not be able to decrypt or verify it.

How to enable Nat-T on checkpoint firewall? ›

Configuring NAT-Traversal

From the left tree, click IPsec VPN > VPN Advanced. Make sure to select Support NAT traversal (applies to Remote Access and Site to Site connections). NAT-Traversal is enabled by default when a NAT device is detected. Click OK.

How do I fix my NAT issues? ›

You can fix your NAT type by heading into Settings, Network Settings, or Advanced Settings on your router and enabling UPnP. You'll then need to reset your router and device to ensure the changes are made.

Where do I enable NAT traversal? ›

Navigate to VPN settings|Advance settings| Enable/Disable NAT traversal. By default in all SonicOS, NAT traversal will be enabled.

What is the Nat-T traversal? ›

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

How do I know if my network is behind NAT? ›

1 Answer
  1. Go to You will get your public IP address.
  2. Open CMD and type tracert {public IP}, for example: tracert ( traceroute on Mac / linux)
  3. If there is more than 1 hop, you are behind a NAT.
Mar 2, 2021

How do I know if my NAT is working? ›

One of the simplest ways to test your NAT configuration is to use ping and traceroute commands to verify the connectivity and routing between your private and public networks.

How does IPsec handle NAT traversal? ›

During phase 1, if NAT Traversal is used, one or both peer's identify to each other that they are using NAT Traversal, then the IKE negotiations switch to using UDP port 4500. After this the data is sent and handled using IPSec over UDP, which is effectively NAT Traversal.

What port should you open to enable IPsec over NAT? ›

Before you begin IPsec configuration

The management IP address is configured on the BIG-IP system. If you are using NAT traversal, forward UDP ports 500 and 4500 to the BIG-IP system behind each firewall.

How do I know if my IPsec tunnel is working? ›

The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.

What is the protocol number for NAT-T? ›

For IPsec to work with NAT traversal, these protocols must be allowed through the NAT interface(s): IKE - UDP port 500. IPsec NAT-T - UDP port 4500. Encapsulating Security Payload (ESP) - IP protocol number 50.

Does NAT require firewall? ›

How Does NAT Work? NAT works by having a firewall act as an intermediary for traffic entering and leaving the protected network. Inbound traffic is directed to a public-facing IP address, which is translated to an internal IP address to the firewall before sending the traffic on to its destination.

What is the command to verify NAT? ›

Identifying the inside interface and the outside global interface by using the command “ip nat <inside/outside>” on the appropriate interfaces. The inside interface in this case is the fa0/0 interface connected to the HTTP server, while the outside global address is the s0/0/0 interface on R1.

What is meant by NAT traversal? ›

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

What is NAT traversal for dummies? ›

How NAT traversal works
  • they allow network packets to flow from your private network to anywhere on the internet.
  • they block network packets initiated from the internet and sent to your private network.
  • network packets from a public IP address are allowed to flow back in if they first flowed out to the same address & port.

What does NAT traversal process has failed mean? ›

NAT traversal errors can occur due to network configuration issues, firewall restrictions, or ISP limitations on network protocols.

What are NAT problems? ›

Errors can occur when one of the listed elements is used and the same connection matches an overlapping NAT rule, because the elements also use NAT. Only one address translation operation can be done for each packet and overlapping configurations can cause conflicts.

Top Articles
Password Hashing: PBKDF2, Scrypt, Bcrypt and ARGON2
Top 55 Blockchain Interview Questions and Answers | Edureka
Skyward Sinton
Craigslist Houses For Rent In Denver Colorado
Craigslist Pets Longview Tx
What are Dietary Reference Intakes?
Dr Klabzuba Okc
New Day Usa Blonde Spokeswoman 2022
Braums Pay Per Hour
Cube Combination Wiki Roblox
Becky Hudson Free
Pwc Transparency Report
Azeroth Pilot Reloaded - Addons - World of Warcraft
Urban Dictionary Fov
今月のSpotify Japanese Hip Hopベスト作品 -2024/08-|K.EG
Jack Daniels Pop Tarts
Current Time In Maryland
Maplestar Kemono
Love In The Air Ep 9 Eng Sub Dailymotion
Craftology East Peoria Il
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist Unblocked
Uta Kinesiology Advising
Little Caesars 92Nd And Pecos
Forest Biome
Touchless Car Wash Schaumburg
Purdue 247 Football
yuba-sutter apartments / housing for rent - craigslist
Https E22 Ultipro Com Login Aspx
Finding Safety Data Sheets
Impact-Messung für bessere Ergebnisse « impact investing magazin
Pain Out Maxx Kratom
Nearest Ups Ground Drop Off
Guinness World Record For Longest Imessage
Transformers Movie Wiki
Renfield Showtimes Near Marquee Cinemas - Wakefield 12
Basil Martusevich
Spinning Gold Showtimes Near Emagine Birch Run
Heavenly Delusion Gif
Toonily The Carry
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Joey Gentile Lpsg
Expendables 4 Showtimes Near Malco Tupelo Commons Cinema Grill
Caphras Calculator
Treatise On Jewelcrafting
91 East Freeway Accident Today 2022
Basic requirements | UC Admissions
Les BABAS EXOTIQUES façon Amaury Guichon
Equinox Great Neck Class Schedule
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 6191

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.