BOVPN on a Firebox Behind a Device That Does NAT.
Client-side NAT traversal technologies which modify SIP packets can interfere with this process and in some cases can cause calls that could stay on the internal LAN to routed across the Internet. SRX Series,vSRX. While IKE phase 1 detects NAT support and NAT existence along the network path, IKE phase 2 decides whether or not the peers at both ends will use NAT traversal.
While IKE phase 1 detects NAT support and NAT existence along the network path, IKE phase 2 decides whether or not the peers at both ends will use NAT traversal. What is NAT Traversal? IPsec NAT traversal – UDP port 4500, if and only if NAT traversal is in use Many routers provide explicit features, often called IPsec Passthrough. Understanding NAT-T, Example: Configuring a Route-Based VPN with Only the Responder Behind a NAT Device, Example: Configuring a Policy-Based VPN with Both an Initiator and a Responder Behind a NAT Device, Example: Configuring NAT-T with Dynamic Endpoint VPN  This article gives an introduction to NAT - Network Address Translation, explains why NAT is required, gives an introduction to NAT Traversal (required for certain streams like SIP/H.323) and lists the techniques available for doing the NAT Traversal.
That said, there are completely valid and workable circumstances where a network administrator may require local NAT traversal technologies to be deployed on their router/firewall. In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue.
Quick Mode (QM) security association (SA) payload in QM1 and QM2 is used to for NAT traversal negotiation. Quick Mode (QM) security association (SA) payload in QM1 and QM2 is used to for NAT traversal negotiation. We recommend that the Firebox external interface has a public IP address. IKE Phase 2 Negotiation NAT Traversal Decision.
NAT traversal refers to the common problem in TCP/IP networkingof establishing connections between hosts in private TCP/IPnetworks which use NAT devices Client-based IPsec VPN connections often do not work when passingthrough a NAT device as the IKE and IPsec protocols were notdesigned to work through NAT.