--- title: NAT-T support for IKE on UDP port 500 description: IPsec tunnels can now use the standard NAT traversal flow, starting IKE on UDP port 500 and switching to port 4500 after NAT detection. image: https://developers.cloudflare.com/changelog-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) [ ← Back to all posts ](https://developers.cloudflare.com/changelog/) ## NAT-T support for IKE on UDP port 500 May 11, 2026 [ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/) Cloudflare IPsec now supports the standard NAT traversal (NAT-T) flow, where IKE begins on UDP port `500` and switches to UDP port `4500` after NAT is detected. Previously, devices behind NAT had to be configured to initiate IKE on UDP port `4500` directly. Devices that started on UDP port `500` could not complete the IKE handshake when NAT was in the path. This required custom configuration on devices such as VeloCloud SD-WAN edges, Cisco IOS-XE routers, and Juniper SRX firewalls, and was not possible on every platform. What changed: * Devices behind NAT can now initiate IKE on either UDP port `500` or UDP port `4500`. * Devices that start IKE on UDP port `500` and switch to UDP port `4500` after NAT detection now complete the handshake successfully. * No configuration change is required on Cloudflare. The change is available for all IPsec tunnels on Cloudflare WAN and Magic Transit. This change does not affect existing tunnels: * Tunnels using UDP port `500` with no NAT detected continue to operate as before. * Tunnels configured to start IKE on UDP port `4500` continue to operate as before. * NAT detection logic is unchanged. For configuration details, refer to [GRE and IPsec tunnels](https://developers.cloudflare.com/cloudflare-wan/reference/gre-ipsec-tunnels/).