Expand all | Collapse all


Jump to Best Answer
  • 1.  ESP & NAT-T

    Posted 05-05-2017 07:02

    i understand that the ESP packet must be encapsulated inside a UDP packet because ESP doesnt have a port number and will be dropped by a NAT device performing pat...

    *But i have a misunderstanding 😞 😞 

    *what if im not using pat is it means that only one host will be able able to use the IPSEC and howcome the post side will able to replay to host doesnt use a port number in ESP packet ????

  • 2.  RE: ESP & NAT-T
    Best Answer

    Posted 05-05-2017 21:35

    Hi Ahmed,



    Thank you for posting your quuery here.


    I was not able to sedonc part of your query, hence could you please elaborate on it a little more.


    Coming to the first part of your query if you are not using PAT then NAT will work like one-to-one mapping and it can have two scenarios based on the IPSEC mode you are using-


    Tunnel Mode - In this mode the complete packet including IP, TCP, Data Payload gets encrypted and a new IP header is used to encapsulate the eniter packet and these new IP addresses are the peer IP addresses of the VPN. In this case if PAT is not used then you will have a problem with running traffic from different hosts through the IPSEC as all of it will be from the same IP address, port (UDP 4500 encapsulated due to NAT-T) and hence NAT will not be able to differentiate between two hosts.


    Transport Mode- In this mode only the TCP, Data Payload gets encrypted so the original IP header is still intact for the NAT. This means that traffic coming from two different hosts will have two different IP address (since IP address is not encrypted) and will have UDP 4500 ports due to NAT-T and hence for this scenario to work you will need multiple IP addresses to NAT the different IP addresses of host bcause PAT is not enabled.


    AFAIK SRX supports tunnel mode of VPN only. Tunnel mode's best example is site to site VPN.


    Hope this Helps. 🙂


    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy 



  • 3.  RE: ESP & NAT-T

    Posted 05-06-2017 06:48

    thank you eng/ Pulkit
    i have learnt new things in your response like transport mode encrypt L4 header and the payload only and transport mode use the real ip address in the outerheader 


    *If you allow me to take this opportunity to ask more question:

    1-would you please tell me about some cases that require transport mode, i really have never seen any one using it ( what i only know its used between 2 end systems)


    2-please correct my understanding to this ,  It seems like tunnel mode ((must )) have a pat device because it use the gateway address in the outer header and all hosts cannot use the same src and dst addresses in the outer-header is that correct ?