circle-info
Join EnGenius at ISC West 2026 in Las Vegas for AI-powered networking and proactive security solutions.
View event detailsarrow-up-right
search
Contact SupportCloud Demo

▪️NAT Traversal

hashtag
What is NAT traversal

NAT Traversal (Network Address Translation Traversal) is an important technology used in networking to allow devices behind a NAT-enabled router to establish and maintain connectionswith other devices across different networks, including the internet,such as site to site VPN ...etc. Thus,NAT Traversal techniques, enable two-way communication between devices behind NATs.

Without NAT Traversal, devices using private IP addresses would not be able to receive incoming data packets from external networks because the NAT device would not know to which internal device it should forward those packets.

If the EnGenius Gateway is behind a firewall or other Network Address Translation (NAT) device, there are two options for establishing the IPSec VPN tunnel on the CONFIGURE > Gateway > Site-to-Site VPN page:

  • Automatic

    In the vast majority of cases, the EnGenius Gateway can automatically establish site-to-site VPN connectivity to remote EnGenius VPN peers even through a firewall or NAT device using a technique known as "UDP hole punching." This is the recommended (and default) option. Please refer to the section below for a detailed description.

  • Manual: Port forwarding If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, EnGenius VPN peers contact this EnGenius Security Gateway using the specified public IP address and UDP port number. You still need to configure port forwarding rules on the upstream NAT/firewall device to forward all incoming traffic with the specified destination IP and destination UDP 500 and UDP 4500 to the Primary WAN IP address of the EnGenius Security Gateway. Please refer to the section below for a detailed description.

hashtag
Site to Site VPN Automatic NAT Traversal

EnGenius employs Automatic NAT Traversal, utilizing "UDP hole punching" to establish secure IPsec tunnels between EnGenius VPN peers through firewalls and NAT. This process is facilitated by the EnGenius Cloud, which acts as a broker to automatically manage and connect remote peers. This method simplifies the process of setting up secure connections between devices on the internet, even when they are behind different types of routers or firewalls. It automatically navigates these barriers, making it easier to establish reliable and secure IPSec VPN connections without the need for manual adjustments.

circle-info

If the Automatic option does not work, it may be due to the presence of a symmetric NAT upstream or stringent firewall rules that control what traffic is allowed to ingress or egress the network. You can use the "Manual: Port Forwarding" option to solve the issue.

Figure 1. Automatic NAT Traversal

hashtag
Site to Site VPN Manual: Port Forwarding

When Manual: Port forwarding is enabled,ESG peers contact the ESG device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the ESG device.

circle-info

Since ESG is the device communicating over UDP on ports 500 and 4500 for site-to-site connections, these ports must be forwarded on any devices upstream of the ESG, and not on the ESG itself. Please ensure that the following UDP ports are forwarded/allowed to the ESG:

  • UDP 500 (IKE)

  • UDP 4500 (IPSec NAT-T)

PreviousAuto-VPNNextVPN Fail-Over

Last updated

Was this helpful?