An Internet draft prepared initially by Cisco, to allow IPSec to work over NAT.

In AH mode, IPSec headers are signed; any changes to them (like a NAT rewrite for example) will invalidate the header. NAT Traversal lets you tunnel all the ESP and AH data in packets over UDP port 4500, which can have their headers rewritten all you like.

There is a NAT Traversal patch for FreeS/WAN which has been fully integrated into OpenSwan and StrongSwan.

See also:

  • RFC:3947 Negotiation of NAT-Traversal in the IKE
  • RFC:3948 UDP Encapsulation of IPsec ESP Packets