By default, Cisco devices "auto-discover" whether native IPSec or NAT-T should be used during an IPSec negotiation. This is not ideal, as it can change spontaneously and cause an outage.
There are two places where NAT-T can be configured; the first (set in IKE Parameters) is a system-wide setting, and the second (set on the Crypto Map) applies to a specific connection.
Here is a table showing the results of the combined settings:
Here is a screenshot showing the "system-wide" setting in IKE Parameters. If this checkbox is not ticked, no connections on the device will be able to use NAT-T.
The following screenshot shows the NAT-T setting for a specific Crypto Map; this is where you should configure the NAT-T setting for a specific connection. You will not be able to use NAT-T if the checkbox on the IKE Parameters page is not ticked.
When you run: 'show running config' you will NOT see the following 'nat-t disable' messages:
NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.