IPSec - NAT, AH, and ESP

When implementing IPSec, there are several choices for the configuration of encryption. These include Authentication Header (AH) protocol, and Encapsulating Security Payload (ESP) protocol.

AH does not function well with Network Address Translation (NAT). The reason for this is that the fields in the IP header like TTL and the checksum are excluded by AH because it knows these will change. The IP addresses and port numbers however are included. If these fields are changed with NAT, the Integrity Check Value (ICV) of AH fails.

ESP resolves this issue with NAT. This is because ESP provides encryption and authentication, but it does not include the IP header fields that are modified by NAT devices in its authentication calculations.