Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrictions with NAT and IPsec

What are the restriction(s) to use NAT and IPsec ?

1 REPLY
New Member

Re: Restrictions with NAT and IPsec

The limitation is with AH. The hash check of the

header will fail if it's been modified by a NAT

device from its original address.

If you're doing IPSec from router to router, then

AH probably won't even be needed. If you're

in tunnel mode, esp-3des and esp-sha will encrypt

and perform a hash of the original packet

respectively. You've got a hash of the entire

encapsulated packet, so a hash of the tunnel's

IP header isn't really needed and is basically

wasted CPU.

Steve

280
Views
0
Helpful
1
Replies