UPDATE: VNS3 4.0 and newer


The new VNS3 4.0 version now allows both NAT-T and Native IPsec endpoints on the same VNS3 Controller. 


What's the difference? 



  • Native IPsec enabled communicates on Protocol 50 (not port 50)

  • NAT-T enabled communicates on UDP 4500


When should you use each?



  • If your network gateway is on the "Internet edge" or is  behind a device that can do protocol forwarding, Native IPsec uses Custom Protocol 50 (not port 50)

  • If your network gateway isn't on the "Internet edge" and cannot protocol forward (different from port forward) you'd use NAT-T to encapsulate traffic on UDP port 4500 


NOTE: NAT-T has nothing to do with nat-ing your traffic. It specifies whether the communication happens via UDP 4500 or Protocol 50.


How to in 4.0
When you set up a new IPsec endpoint, you can check the box to enable NAT-T. Default settings will be for Native IPsec connections. If you need multiple NAT-T and Native IPsec connections, simply add each connection individually rather than launch another VNS3 Controller. 



VNS3 allows you to use either NAT-Traversal encapsulation (UDP 4500) or Native IPsec for remote site-to-site VPN connection.  Using NAT-Traversal or Native IPsec is currently a device-wide setting for VNS3.


If you need to connect to both NAT-T and Native IPsec connections, simply peer 2 VNS3 Controllers, one set to NAT-T and the other set to Native IPsec. 


 


Watch the NAT-Traversal video on YouTube: https://youtu.be/HbIbTOmVqlI