Possible to pass IPSec through a NAT device

We have an Cisco 1841 router with an external ip of 142.176.xxx.xxx.
Internally all our guests are given an IP via the 1841's built in DHCP server in the 192.168.100.0 range.
A client wants to use a VPN with IPSec with an authenitcation header. Is it not possible because the 1841 is setup as a NAT device?
My understanding is the nat device (1841) changes the header info and because of this change the receiving VPN server discards the packet because it's been altered. Is this correct? Is there any way around it?
LVL 3
huntleyjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nothing_ChangedCommented:
There is no way around your issue, using AH is impossible with NAT. The solution would be to use ESP with IPsec instead.
0
Kelvin_KingCommented:
NAT does not support VPN with IPsec.

I had the encounter once, the only solution I had was to tell the guest to use a dial up connection.

Not idea, but it was a work around.
Hope that helps!
0
Nothing_ChangedCommented:
Using IPsec with ESP will work with NAT, even multiple NAT's, since the payload is what the security checksum is run against, not the headers. The checksum is the same regardless of the IP addresses involved when using ESP, that is a notably different than AH, and the primary reason that AH can't work with NAT.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huntleyjAuthor Commented:
That is what I thought. just wanted confirmation.
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.