IPSec does not work if we have a NAT Device between two IPSec peers, performing Port Address Translation. It is not possible for the IPSec ESP packets to traverse (Travel across or pass over) across a NAT Device performing PAT.
In Port Address Translation (PAT), the NAT Device changes the source Port Number (TCP or UDP) with another port number.To perform Port Address Translation (PAT), a NAT device must be able to open TCP/UDP header and find Source TCP/UDP Port Number. The TCP and UDP Port Numbers are not visible for a NAT device performing PAT between IPSec Peers, because TCP/UDP headers are encrypted and encapsulated with ESP header.
When IPSec is used to secure IPv4 traffic, original TCP/UDP Port Numbers are kept encrypted and encapsulated using ESP. Following image shows how IPSec encapsulates IPv4 datagram. For more details visit IPSec VPN Modes - Tunnel Mode and Transport Mode.
Following image shows a Wireshark capture of ESP encapsulated IPSec packet.
Note that TCP/UDP headers are not visible. TCP/UDP headers are kept encrypted as ESP data payload.
NAT Traversal (NAT-T) technology is used in IPSec to overcome above mentioned problem.
NAT Traversal (NAT-T) technology can detect whether both IPSec peers support NAT-T. NAT Traversal (NAT-T) technology can also detect NAT devices between IPSec Peers. ISAKMP Main Mode messages one and two are used to detect whether both IPSec peers support NAT-T. If both IPSec peers support NAT-T, NAT Devices are detected in ISAKMP Main Mode messages three and four.f
Once a NAT PAT device is detected between IPSec Peers, NAT-T encapsulates ESP packets inside an unencrypted UDP header with both Source and Destination ports as 4500. Now the NAT PAT devices have a UDP header and port number to play with and PAT happens as usual.