NS-Remote VPN client is connected successfully to firewall, but NS-Remote client cannot pass traffic through the VPN.   What Are the Minimum Requirements for NAT Traversal?

Symptoms & Errors:
 

• NetScreen-Remote client behind NAT device is not working
• NS-Remote client Log Viewer reports error  "message not received!" in the Phase 1 negotiation:
     1-14: 15:24:13.167 My Connections\corporate - message not received! Retransmitting!
• NS-Remote VPN client is connected successfully to firewall (SA is active), but NS-Remote client cannot pass traffic thru the VPN
• Configuring NS-Remote client to have a public IP works, but then reconfiguring NS-Remote client, with private address and putting it behind NAT device, fails
• Cannot send traffic across a VPN

This article applies to ScreenOS  and JUNOS Enhanced Services (JUNOS-ES) 8.5 and higher.
 

Minimum requirements for NAT Traversal (NAT-T):

• One side of the Virtual Private Network (VPN) must NOT be behind a Network Address Translation (NAT) device.
• The non-NAT side must have a static IP address. If the non-NAT side has a dynamically assigned IP address like DHCP or PPPoE, the NAT-Traversal VPN will not work.
• Both sides must support NAT-Traversal.
• The VPN device behind the NAT device must initiate the IPSec negotiations.
• For pre-shared key IKE VPN, both sides must be negotiating Aggressive Mode.
• The NAT device in front of the Juniper Firewall device must have IPSec Pass-through feature disabled.

Enable the NAT-Traversal feature on the Juniper firewall.

For JUNOS-ES, go to KB10178 - How Do I Enable NAT Traversal in JUNOS-ES?

ScreenOS CLI
-----
To enable NAT traversal via the CLI, add the following command to the configuration:

set ike gateway <gateway name> nat-traversal <options>



 
ScreenOS WebUI
---------
To enable NAT traversal via the WebUI, perform the following steps:

Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


From the ScreenOS options menu, click VPNs, select AutoKey Advanced, and then click to select Gateway.

From the Gateway page, click New.

Click Advanced.

Click Enable NAT-Traversal.

Each UDP packet contains a UDP checksum, a calculated value that the Juniper firewall device uses to detect transmission errors. Select this check box only if the NAT device requires it


Additional Information:
 

NAT-T draft 2 is supported in ScreenOS 5.1 and later.   It is enabled with the same above steps.   How do I configure support for UDP 4500?
 

For an overview of NAT traversal, please refer to the Concepts and Examples ScreenOS Reference Guide.