Hello,
ASA-NATBox-ASA ( ESP IPSEC Tunnel Mode )
If i need to configure an IPSEC Tunnel in the above scenario, with the NATBox doing a one-one translation, IKE will construct IKE Pakcet with UDP 4500 but will UDP Encapsulation be used when actual ESP Packet is constructed for transferring data in case of NAT ( one-one translation )??? as in a one-one NAT scenario only IP addresses are modified and IP checksum is recalculated & TCP/UDP checksums are not recalculated and are encrypted & authenticated by ESP.
ASA-PATBox-ASA ( ESP IPSEC Tunnel Mode )
In this scenario IKE will construct IKE Pakcet with UDP 4500 but will UDP Encapsulation be used when the actual ESP packet is constructed when transferring data in case of PAT ??? as BOTH IP Checksum and TCP/UDP checksums have to be recalculated.
I have gone through the RFC's for NAT , NAT-T and a book on VPN desgin Fundamentals from Cisco Press, but not able to figure out when exactly will NAT-T be used IKE will construct a packet with port UDP 4500 when it detects NAT between the peers with a NAT & PAT box between 2 IPSEC Peers running IPSEC in Tunnel Mode with ESP.
Thanks,
Vikram A