IPsec NAT Transversal
NAT/PAT incompatibilities with IPsec.
AH header incorporates the IP source and destination addresses in the keyed message integrity check. ESP is not an issue.
TCP and UDP checksums can be updated because are protected by IPsec.
IP addresses may be used as identifiers in Internet Key Exchange to determine credentials.
During the ISAKMP IPsec first phase hosts (when configured and supported) detect that NAT transversal must be activated.
Subsequent ISAKMP first-phase and second-phase packets are encapsulated in UDP packets.
Usually, port UDP 4500.
Original IP addresses are sent as NAT-OA (NAT Original Address) payloads of the ISAKMP.
Last updated