NAT traversal in VPNs

NAT traversal (NAT-T) prevents intermediary devices from applying NAT to VPN communications if NAT is found to prevent the communications from working.

NAT traversal encapsulates the IKE and IPsec communications inside UDP packets. The NAT-T encapsulation option does not affect mobile VPNs. NAT-T is always active in mobile VPNs.

Note: The TCP Tunneling option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.

Encapsulation is not always necessary. Usually, you can define Contact Addresses so that the VPN works even when NAT is applied. The encapsulation options are activated in the endpoint properties in the Engine Editor or in the External VPN Gateway element.