NAT traversal in VPNs
NAT traversal (NAT-T) is an optional IKE standard mechanism to detect when an IPsec VPN tunnel goes through a NAT device. NAT-T allows IPsec VPNs to work reliably through networks where NAT is applied to connections.
If NAT-T is enabled and NAT is detected, the gateway automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.
NAT-T is always enabled for mobile VPNs.
NAT-T encapsulation is not always necessary even if static NAT is applied to a site-to-site VPN. You can define Contact Addresses so that the VPN works even when NAT is applied. The NAT-T option is activated in the endpoint properties in the Engine Editor or in the External VPN Gateway element.