z/OS® Communications Server
supports NAT traversal as defined in RFCs 3947, 3948, and 5996; they
define mechanisms that enable IPSec to traverse one or more NAT devices.
Platforms that have implemented their NAT traversal support using
pre-RFC drafts might not interoperate with implementations that are
compliant with RFCs 3947, 3948, and 5996.
- RFC 3947, Negotiation of NAT-Traversal in the IKE,
allows an IKEv1 daemon to detect when one or more NATs are being traversed.
- RFC 3948, UDP Encapsulation of IPsec ESP Packets,
defines two IPSec encapsulation modes, UDP-encapsulated tunnel mode
and UDP-encapsulated transport mode. These modes facilitate the traversal
of IPSec traffic through a NAT by encapsulating ESP packets within
a UDP packet.
- RFC 5996, Internet Key Exchange (IKEv2) Protocol,
specifies how to detect when IKEv2 peers are traversing one or more
NATs
z/OS Communications Server
does provide limited support for the following pre-RFC implementations:
- draft-ietf-ipsec-nat-t-ike-02 (pre-RFC draft of RFC 3947), and
draft-ietf-ipsec-udp-encaps-02 (pre-RFC draft of RFC 3948)
- draft-ietf-ipsec-nat-t-ike-03 (pre-RFC draft of RFC 3947), and
draft-ietf-ipsec-udp-encaps-03 (pre-RFC draft of RFC 3948)