> On Dec 30, 2024, at 12:59 AM, Tero Kivinen <kivi...@iki.fi> wrote: > > And yes there is still AH that is explictly authenticating the IP > headers which is not compatible with the NATs, as AH is trying to > detect when someone modifies the IP header, and there it is feature > not a bug. But if you do not want to verify the IP header then you can > use ESP instead and that do provide NAT traversal.
ESP interferes with NAT as NAPT (and port number), as the port numbers can’t be translated. There are variants of NAT don’t rely on port number, but I don’t know whether they’re supported by IKE (e.g., NAT64). Joe
_______________________________________________ rfc-interest mailing list -- rfc-interest@rfc-editor.org To unsubscribe send an email to rfc-interest-le...@rfc-editor.org
