NAT traversal in VPNs

NAT traversal (NAT-T) is an optional IKE standard mechanism to detect when an IPsec VPN tunnel goes through a NAT device. NAT-T allows IPsec VPNs to work reliably through networks where NAT is applied to connections.

If NAT-T is enabled and NAT is detected, the gateway automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.

NAT-T is always enabled for mobile VPNs.

NAT-T encapsulation is not always necessary even if static NAT is applied to a site-to-site VPN. You can define Contact Addresses so that the VPN works even when NAT is applied. The NAT-T option is activated in the endpoint properties in the Engine Editor or in the External VPN Gateway element.