Kuhtz, Christian wrote:
And there are workarounds for all those.
NAT-T for ipsec is really intended for endnodes only - which is fine if
you are doing the NAT yourself (typical medium/large company scenario -
internal users shouldn't be using IPSEC, that is done at the
gateway/firewall) but sucks if your cable or xDSL ISP decides NAT is the
way to go. (usually followed by a "well, you shouldn't need two or more
nodes there/want to run a server/care about SIP, a business should pay for
a DEDICATED link" for a little three-man sales office in the backend of
But regardless, all the workarounds are doing is trying to patch the fact
that UDP dependent connections are not NAT friendly by special-casing (or
app-layer proxying) particular instances of UDP in a way that doesn't drop
dead TOO often....