If IPSec over NAT-T is enabled on the VPN Concentrator, then the VPN Concentrator/VPN Client uses NAT-T mode of UDP encapsulation. NAT-T works by auto-detecting any NAT device between the VPN Client and VPN Concentrator during IKE negotiation. You must ensure that UDP port 4500 is not blocked between the VPN Concentrator/VPN Client for NAT-T to work. Also, if you are using a previous IPSec/UDP configuration that is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a different UDP port. Since NAT-T is an IETF draft, it helps when using multivendor devices if the other vendor implements this standard.
NAT-T works with both VPN Client connections and LAN-to-LAN connections unlike IPSec over UDP/TCP. Also, Cisco IOS® routers and the PIX firewall devices support NAT-T.