Possible to pass IPSec through a NAT device

Posted on 2008-11-10
Last Modified: 2012-05-05
We have an Cisco 1841 router with an external ip of
Internally all our guests are given an IP via the 1841's built in DHCP server in the range.
A client wants to use a VPN with IPSec with an authenitcation header. Is it not possible because the 1841 is setup as a NAT device?
My understanding is the nat device (1841) changes the header info and because of this change the receiving VPN server discards the packet because it's been altered. Is this correct? Is there any way around it?
Question by:huntleyj
    LVL 8

    Expert Comment

    There is no way around your issue, using AH is impossible with NAT. The solution would be to use ESP with IPsec instead.
    LVL 13

    Expert Comment

    NAT does not support VPN with IPsec.

    I had the encounter once, the only solution I had was to tell the guest to use a dial up connection.

    Not idea, but it was a work around.
    Hope that helps!
    LVL 8

    Accepted Solution

    Using IPsec with ESP will work with NAT, even multiple NAT's, since the payload is what the security checksum is run against, not the headers. The checksum is the same regardless of the IP addresses involved when using ESP, that is a notably different than AH, and the primary reason that AH can't work with NAT.
    LVL 3

    Author Closing Comment

    That is what I thought. just wanted confirmation.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    server can't ping default gateway 25 68
    Networking/NAT rules 4 22
    VLAN Tag for chained network device. 11 45
    Is this error real? 2 32
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now