NAT-T is a method of enabling IPsec

IPsec

Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...

-protected IP datagrams to pass through network address translation

Network address translation

In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....

 (NAT). RFC 3947 defines the negotiation during the Internet key exchange

Internet key exchange

Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...

 (IKE) phase and RFC 3948 defines the UDP encapsulation.

An IP packet is modified while passing through a network address translator device in a manner that is incompatible with Internet Protocol Security (IPsec)

IPsec

Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...

. NAT-T protects the original IPsec encoded packet by encapsulating

Encapsulation (networking)

In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects....

 it with another layer of UDP and IP headers.

Most major networking vendors support NAT-T for IKEv1 in their devices. In Microsoft Windows XP with Service Pack 2 the feature can be enabled but is disabled in default settings when the VPN server itself is behind a network address translator because of security issues. Enabling it needs a simple registry key change.