Name: #paloaltofirewalltraining | Day 39 | Can NAT-T Traffic Flow Be THIS Simple?
Uploaded: 2025-06-29 19:30:14
Duration: 16 min 40 s

Question 1

How does VPN traffic flow work in a real-world Palo Alto site-to-site VPN?

Accepted Answer

In my diagram, the inside host sends traffic to the Palo Alto firewall, and the firewall decides based on policy (source/destination subnet) to send it through the tunnel. The firewall encrypts what it received from the PC and then adds a new public IP header so it can travel on the internet. The responder firewall decrypts and forwards it to the destination PC, and the return traffic follows the same process.

Question 2

What exactly gets encrypted in an IPsec VPN tunnel?

Accepted Answer

What I explained is: the firewall takes the original packet details (upper layers and the original IP information) and encrypts the payload based on the negotiated algorithms and keys. Then it wraps it with a new outer IP header using public IPs. So the internet only sees the outer public IP header, not your private network details.

Question 3

Why is NAT-T required when there is a NAT device between VPN peers?

Accepted Answer

If NAT is in between, it can do port-based translation (PAT), and plain ESP traffic doesn’t work nicely through that. So once NAT discovery/detection happens, the peers add a UDP header to support traversal. After detection, the communication moves to UDP 4500 so it can pass through the NAT device properly.

Question 4

What ports are used for IKE and NAT-T in IPsec VPN?

Accepted Answer

During normal IKE negotiation you will see UDP 500. In my explanation, once NAT is detected, it changes from UDP 500 to UDP 4500 for further communication. That UDP 4500 is the NAT-T part which helps the tunnel survive NAT in the path.

Question 5

Where does NAT discovery happen in the IKE negotiation?

Accepted Answer

NAT discovery/detection happens during the negotiation phase itself, before the peers switch to NAT-T. I mentioned that the peers try to find whether NAT exists or not, and once they know NAT is present, they automatically shift the later messages to UDP 4500. You don’t need to manually build the logic—just enable NAT-T and the rest is automatic.

Question 6

What is the main difference between IKEv1 and IKEv2?

Accepted Answer

The concept of negotiation is not ‘different’ in terms of what we want to achieve, but IKEv2 is built to improve speed and security handling compared to IKEv1. In IKEv1 main mode you had 6 messages, but in IKEv2 it becomes 4 messages for the same job. Phase 1 still protects Phase 2, and Phase 2 is still dedicated for data encryption—only the exchange is more efficient.

Question 7

Is learning IKEv1 enough to understand IKEv2 for Palo Alto VPN?

Accepted Answer

Yes, if you learn IKEv1 properly, you will not struggle with IKEv2. As I said, there are a few configuration changes and a few negotiation changes, but the overall concept remains the same. IKEv2 mainly reduces message exchanges and improves the workflow.

#paloaltofirewalltraining | Day 39 | Can NAT-T Traffic Flow Be THIS Simple?

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech