UPDATE: VNS3 4.0 and newer
The new VNS3 4.0 version now allows both NAT-T and Native IPsec endpoints on the same VNS3 Controller.
What's the difference?
- Native IPsec enabled communicates on Protocol 50 (not port 50)
- NAT-T enabled communicates on UDP 4500
When should you use each?
- If your network gateway is on the "Internet edge" or is behind a device that can do protocol forwarding, Native IPsec uses Custom Protocol 50 (not port 50)
- If your network gateway isn't on the "Internet edge" and cannot protocol forward (different from port forward) you'd use NAT-T to encapsulate traffic on UDP port 4500
NOTE: NAT-T has nothing to do with nat-ing your traffic. It specifies whether the communication happens via UDP 4500 or Protocol 50.
How to in 4.0
When you set up a new IPsec endpoint, you can check the box to enable NAT-T. Default settings will be for Native IPsec connections. If you need multiple NAT-T and Native IPsec connections, simply add each connection individually rather than launch another VNS3 Controller.
VNS3 allows you to use either NAT-Traversal encapsulation (UDP 4500) or Native IPsec for remote site-to-site VPN connection. Using NAT-Traversal or Native IPsec is currently a device-wide setting for VNS3.
If you need to connect to both NAT-T and Native IPsec connections, simply peer 2 VNS3 Controllers, one set to NAT-T and the other set to Native IPsec.
Watch the NAT-Traversal video on YouTube: https://youtu.be/HbIbTOmVqlI