UPDATE: VNS3 4.0 and newer

The new VNS3 4.0 version now allows both NAT-T and Native IPsec endpoints on the same VNS3 Controller. 

What's the difference? 

  • Native IPsec enabled communicates on Protocol 50 (not port 50)

  • NAT-T enabled communicates on UDP 4500

When should you use each?

  • If your network gateway is on the "Internet edge" or is  behind a device that can do protocol forwarding, Native IPsec uses Custom Protocol 50 (not port 50)

  • If your network gateway isn't on the "Internet edge" and cannot protocol forward (different from port forward) you'd use NAT-T to encapsulate traffic on UDP port 4500 

NOTE: NAT-T has nothing to do with nat-ing your traffic. It specifies whether the communication happens via UDP 4500 or Protocol 50.

How to in 4.0
When you set up a new IPsec endpoint, you can check the box to enable NAT-T. Default settings will be for Native IPsec connections. If you need multiple NAT-T and Native IPsec connections, simply add each connection individually rather than launch another VNS3 Controller. 

VNS3 allows you to use either NAT-Traversal encapsulation (UDP 4500) or Native IPsec for remote site-to-site VPN connection.  Using NAT-Traversal or Native IPsec is currently a device-wide setting for VNS3.

If you need to connect to both NAT-T and Native IPsec connections, simply peer 2 VNS3 Controllers, one set to NAT-T and the other set to Native IPsec. 


Watch the NAT-Traversal video on YouTube: https://youtu.be/HbIbTOmVqlI