The limitation is with AH. The hash check of the
header will fail if it's been modified by a NAT
device from its original address.
If you're doing IPSec from router to router, then
AH probably won't even be needed. If you're
in tunnel mode, esp-3des and esp-sha will encrypt
and perform a hash of the original packet
respectively. You've got a hash of the entire
encapsulated packet, so a hash of the tunnel's
IP header isn't really needed and is basically
wasted CPU.
Steve