NAT-T -Disabled = No Traffic in Tunnel

Net_Admin · March 5, 2025, 8:12pm

Tunnel between (ASA’s/PALO’s) and VYOS .

When NAT T is disabled via the crypto map(ASA) or NAT-T not ticked on the Palo IKE gateway config. The IPSEC tunnel on Vyos shows up, but no traffic passes.

NAT-T Disabled

show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-172.30.X.X-tunnel-0 up 12m4s 0B/0B 0/0 172.30.X.X N/A AES_CBC_256/HMAC_SHA2_256_128

NAT-T Enabled
$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-172.30.X.X-tunnel-0 up 17m27s 7K/13K 168/216 172.30.X.X N/A AES_CBC_256/HMAC_SHA2_256_128

Below IKE shows NAT-T = no

show vpn ike sa
Peer ID / IP Local ID / IP

172.30.X.X 172.20.X.X

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes256   sha256_128 14(MODP_2048)  **no**     3600    86400

When this situation occurs, no traffic passes the tunnel.

The tunnel is up but not passing until NAT-T is enabled on the ASA/Palo side. As soon as NAT-T is enabled and vpn restarted, the traffic passes. There are no NAT devices in the network path between these firewalls. Any ideas on why NAT-T impacts the tunnel traffic in this way?

-Nathan

tjh · March 7, 2025, 6:15am

Perhaps your firewall rules on the PaloAlto/Cisco (or even your VyOS router?) are only set to allow NAT-T encapsulated traffic?

" NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port ."

I’m not saying this is the answer, btw, just a guess based on the symptoms you’ve described.

Net_Admin · March 14, 2025, 4:50pm

tjh,

Thanks for your reply. The IKE and IPSEC tunnels establish but no traffic passes until NAT-T is enabled on the PA. For ASA NAT-T detection is on by default but not by default with Palo .

To my understanding IKE/IPSEC would never establish across a PAT/NAT boundary because they do not use port numbers so the firewalls cannot track the session thus the reason for NAT-T

These tunnels establish completely but no traffic counters increment in the tunnels unless NAT-T is enabled . I believe that if NAT-T were a requirement, phase 1 and phase 2 would never establish. Instead Phase 1 and 2 establish but no traffic passes. Could it be something to do with route installation? Meaning that the routes are not populate in the FIB without some component of NAT-T?

system · April 13, 2025, 4:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.