Every time you connect to a corporate VPN from a coffee shop, a hotel room, or your home office, something remarkable happens. Your encrypted traffic needs to cross a NAT device, a piece of infrastructure that was never designed to handle encryption. It should fail. It does not fail. It works because of port 4500.
What Port 4500 Does
Port 4500 carries IPsec NAT Traversal (NAT-T) traffic over UDP. When two endpoints want to establish an encrypted IPsec tunnel but discover a NAT device sits between them, they switch from port 500 to port 4500 and wrap their encrypted packets in a UDP envelope that NAT can process without breaking everything.
This is not elegant. This is engineering pragmatism at its finest.
The Collision That Created Port 4500
To understand port 4500, you need to understand two technologies that were never supposed to meet.
IPsec was designed in the 1990s to secure Internet communications. It uses ESP (Encapsulating Security Payload), which is IP Protocol 50. ESP sits at the same level as TCP and UDP in the network stack. It has no port numbers because it was designed before anyone thought that would be a problem.1
NAT was also designed in the 1990s, as a "short-term solution" to IPv4 address exhaustion.2 The Internet was running out of addresses. NAT let organizations hide thousands of devices behind a single public IP address by tracking connections using port numbers. When a packet goes out, NAT rewrites the source address and port. When the reply comes back, NAT uses the port number to figure out which internal device should receive it.
Here is the problem: ESP packets have no port numbers.3 NAT has nothing to track. When multiple devices behind the same NAT try to establish IPsec tunnels to the same destination, the return traffic becomes indistinguishable. The second connection looks exactly like the first. Everything breaks.
By the early 2000s, NAT was everywhere. IPsec was essential for secure remote access. And they were fundamentally incompatible.
The Engineers Who Built the Bridge
In 2001, a group of engineers from Finland, the United States, and Canada set out to solve this problem. Tero Kivinen at SSH Communications Security and Ari Huttunen at F-Secure Corporation in Helsinki led the effort, working alongside Brian Swander at Microsoft, Victor Volpe at Cisco, and Larry DiBurro at Nortel Networks.4
Their solution was straightforward in concept: if NAT needs port numbers, give it port numbers. Wrap ESP packets inside UDP. Let NAT do its thing with the UDP headers while the encrypted payload travels through untouched.
The specification went through eight revisions over three years. In January 2005, the IETF published RFC 3947 (Negotiation of NAT-Traversal in the IKE) and RFC 3948 (UDP Encapsulation of IPsec ESP Packets) as Standards Track documents.56
Port 4500 was officially assigned for IPsec NAT Traversal.
How the Protocol Works
The NAT-T dance begins on port 500, where IKE (Internet Key Exchange) negotiations normally happen.
Step 1: Detection
In the first two IKE messages, both sides advertise that they support NAT-T. In messages three and four, they perform NAT detection by exchanging hashes of their IP addresses and port numbers.7 Each side calculates what the hash should be. If the received hash does not match, someone in the middle changed the address or port. NAT is present.
Step 2: Port Switch
Once NAT is detected, both sides immediately switch to port 4500. The initiator sets both source and destination ports to 4500. All subsequent IKE packets and all encrypted ESP traffic use this port.8
Step 3: UDP Encapsulation
ESP packets get wrapped in a standard UDP header. To distinguish between IKE management traffic and encrypted data, the protocol uses a clever trick: if the first four bytes after the UDP header are all zeros (the "Non-ESP Marker"), it is an IKE packet. Otherwise, it is an ESP packet heading to the kernel for decryption.9
Step 4: Keepalives
NAT devices forget about UDP "connections" if they sit idle too long. To prevent the NAT mapping from expiring, NAT-T sends keepalive packets: a single byte with the value 0xFF, typically every 20 seconds.10
The result is an encrypted tunnel that survives NAT translation because it looks like ordinary UDP traffic.
Security Considerations
NAT-T adds a UDP header to encrypted traffic. The encryption itself remains intact. The security implications are subtle but worth understanding.
Implementation Vulnerabilities
The ipsec-tools implementation before version 0.7.2 had memory leaks in its NAT-T keepalive handling that could be exploited for denial-of-service attacks.11 Like any protocol, the specification is only as secure as its implementations.
Firewall Considerations
Port 4500 traffic is encrypted and inspectable only by the tunnel endpoints. Organizations should restrict port 4500 access to known VPN peers and monitor for unusual traffic patterns.12
IKEv1 vs IKEv2
NAT-T was an optional add-on for IKEv1. In IKEv2 (RFC 7296, published 2014), NAT-T is mandatory and integrated directly into the protocol.13 If you have a choice, use IKEv2. The protocol learned from a decade of deployment experience.
Quantum Considerations
Modern implementations like Libreswan offer post-quantum pre-shared keys (PPKs) to protect IKEv2 connections against future quantum computer attacks.14 The encryption transiting port 4500 can be made quantum-resistant.
Related Ports
| Port | Protocol | Description |
|---|---|---|
| 500/UDP | IKE/ISAKMP | Internet Key Exchange, where negotiations begin before NAT is detected |
| 4500/UDP | IPsec NAT-T | This port, where traffic moves when NAT is present |
| Protocol 50 | ESP | Encapsulating Security Payload, the encrypted data that gets wrapped in UDP |
| Protocol 51 | AH | Authentication Header, IPsec integrity protection (incompatible with NAT) |
What Flows Through Port 4500
Every encrypted VPN session that crosses a NAT boundary.
The laptop connecting from the hotel wifi to the corporate network. The home office router establishing a site-to-site tunnel to headquarters. The mobile phone maintaining an always-on connection as it moves between cell towers. The thousands of remote workers who, during the pandemic, suddenly needed secure access from networks that were never designed for enterprise connectivity.
Port 4500 carries the weight of the modern distributed workforce. It is infrastructure that most people never see, solving a problem that most people do not know exists: the fundamental incompatibility between the Internet's address shortage and its security needs.
This port is a bridge built by Finnish engineers and their colleagues, a pragmatic solution that has been running for two decades. It is not beautiful. It is necessary. And it works.
Frequently Asked Questions
Was this page helpful?