SRX Services Gateway
SRX Services Gateway

Force NAT-T on IPSEC Link

‎11-26-2014 06:14 AM

Hi All,


I have searched for a long time to find a solution to force a VPN to use UDP Port 4500 (vs. ESP) traffic.  I have run into a few times ESP traffic being blocked internationally, whereas UDP 4500 seems fine.


With no software tool to make this happened, I figured out what I think is a workaround.


Here is my setup:


Port 15 = public IP / 30 to ISP, zone untrust


Port 13 =, zone trust


Port 12 =, zone nat_t, virtual-router nat_t


I add a virtual router  (nat_t) with a static default route to and set the external interface for my ike gateway to be port 12.  This worked like a charm since the SRX is NAT'ing to the public and forcing UDP 4500 for ESP.


I've searched for a solution for 2+ years and thought I would post it here in case anyone else is looking for this.



Darin Pesnell

SRX Services Gateway

Re: Force NAT-T on IPSEC Link

‎11-26-2014 09:09 AM



Thanks for sharing this wonderful information for forcing devices to use NATT so that it can use UDP 4500.


For SRX point of view , there are 2 types of VPN.


Site to Site VPN
Client to Site VPN


For site to site VPN , if there is a NAT device inbetween 2 peers , then if NAT-Traversal is enabled , it will negosiate on UDP4500.


On SRX , Nat traversal is enabled by default.


For Client to Site VPN, VPN uses NATT by default whether  vpn clients are behind nat device or not.


In my point of view , Forcing NATT for site to Site VPN is an overhead for the devices as it needs to do additional encapsulation and decapsulation.


But thanks for sharing this information so that if there is a requirement to use NATT eventhough when there is no nat device.