Kuhtz, Christian wrote:
And there are workarounds for all those.
NAT-T for ipsec is really intended for endnodes only - which is fine if
you are doing the NAT yourself (typical medium/large company scenario -
internal users shouldn't be using IPSEC, that is done at the
gateway/firewall) but sucks if your cable or xDSL ISP decides NAT is the
way to go. (usually followed by a "well, you shouldn't need two or more
nodes there/want to run a server/care about SIP, a business should pay for
a DEDICATED link" for a little three-man sales office in the backend of
nowhere)
But regardless, all the workarounds are doing is trying to patch the fact
that UDP dependent connections are not NAT friendly by special-casing (or
app-layer proxying) particular instances of UDP in a way that doesn't drop
dead TOO often....