Penguin
Note: You are viewing an old revision of this page. View the current version.

An Internet draft prepared initially by Cisco, to allow IPSec to work over NAT.

In AH mode, IPSec headers are signed; any changes to them (like a NAT rewrite for example) will invalidate the header. NAT Traversal lets you tunnel all the ESP and AH data in packets over UDP port 4500, which can have their headers rewritten all you like.

There is a NAT Traversal patch for FreeS/WAN which has been fully integrated into OpenSwan and StrongSwan.

The IETF drafts: IPSEC NAT Traversal: Internet Key Exchange and UDP Encapsulation.