How does IPsec work with network address translation (NAT)?
NAT is incompatible with Authentication Header protocol, whether used in transport or tunnel mode. An IPsec VPN using AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Why this bothers NAT is the last part: a NAT device in between the IPsec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesn’t match. The VPN device at the receiving end doesn’t know about the NAT in the middle, so it assumes that the data has been altered for nefarious purposes. IPsec using Encapsulating Security Payload in tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet’s source