IKEv2 with NAT-T and dynamic endpoint VPN

Both IKEv2 initiators and responders in a route-based VPN can be behind NAT devices. The IKEv2 NAT-T feature supports IPsec traffic that crosses NAT devices. Static NAT and dynamic NAT are supported. In static NAT, there is a one-to-one relationship between the private and the public addresses. In dynamic NAT, there is a many-to-one or many-to-many relationship between the private and public addresses. Dynamic endpoint (DEP) VPN is a Junos OS feature that covers IKEv2 initiator and responder perspectives. From the initiator's perspective, DEP VPN covers the situation where the IKE external interface address is not fixed and is therefore not known by the responder. This situation can occur when the peer's address is dynamically assigned by an ISP or when the peer's connection crosses a NAT device that allocates addresses from a dynamic address pool. From the responder's perspective, DEP VPN describes either a finite number of VPNs that are created for a number of VPN peers in a many-to-many scenario or a shared VPN in a many-to-one scenario.