System Administration Guide: IP Services

IPsec and NAT Traversal

IKE can negotiate IPsec SAs across a NAT box. This ability enables systems to securely connect from a remote network, even when the systems are behind a NAT device. For example, employees who work from home, or who log on from a conference site can protect their traffic with IPsec.

NAT stands for network address translation. A NAT box is used to translate a private internal address into a unique Internet address. NATs are very common at public access points to the Internet, such as hotels. For a fuller discussion, see Using Oracle Solaris IP Filter's NAT Feature.

The ability to use IKE when a NAT box is between communicating systems is called NAT traversal, or NAT-T. In the Solaris 10 release, NAT-T has the following limitations:

The following RFCs describe NAT functionality and the limits of NAT-T. Copies of the RFCs can be retrieved from

To use IPsec across a NAT, see Configuring IKE for Mobile Systems (Task Map).