> On Dec 30, 2024, at 12:59 AM, Tero Kivinen <[email protected]> wrote: > > And yes there is still AH that is explictly authenticating the IP > headers which is not compatible with the NATs, as AH is trying to > detect when someone modifies the IP header, and there it is feature > not a bug. But if you do not want to verify the IP header then you can > use ESP instead and that do provide NAT traversal.
ESP interferes with NAT as NAPT (and port number), as the port numbers can’t be translated. There are variants of NAT don’t rely on port number, but I don’t know whether they’re supported by IKE (e.g., NAT64). Joe
_______________________________________________ rfc-interest mailing list -- [email protected] To unsubscribe send an email to [email protected]
