Known Issues with IPSEC and NAT
Incompatibility between IPSEC AH and NAT
- Affects both transport mode and tunnel mode
- Message integrity check includes IP source/dest addresses
- Can use ESP null instead
Incompatibility between checksums and NAT
- IPSEC issue: affects transport mode
- Checksum depends on pseudo-header, which includes IP source/dest addresses
- UDP checksum optional
Incompatibility between IKE address identifiers and NAT
- IKE issue: affects QM and MM, tunnel and transport mode
- Can learn external address (requires NAT discovery)
- userIDs or FQDNs can be used instead of addresses
Incompatibilities between embedded IP addresses and NAT
- Affects transport mode
- Cannot work with protocols which include IP addresses
- Examples: FTP, IRC, SNMP, LDAP, H.323….