NATT support level
z/OS® Communications Server supports NAT traversal as defined in RFCs 3947, 3948, and 5996; they define mechanisms that enable IPSec to traverse one or more NAT devices. Platforms that have implemented their NAT traversal support using pre-RFC drafts might not interoperate with implementations that are compliant with RFCs 3947, 3948, and 5996.
- RFC 3947, Negotiation of NAT-Traversal in the IKE, allows an IKEv1 daemon to detect when one or more NATs are being traversed.
- RFC 3948, UDP Encapsulation of IPsec ESP Packets, defines two IPSec encapsulation modes, UDP-encapsulated tunnel mode and UDP-encapsulated transport mode. These modes facilitate the traversal of IPSec traffic through a NAT by encapsulating ESP packets within a UDP packet.
- RFC 5996, Internet Key Exchange (IKEv2) Protocol, specifies how to detect when IKEv2 peers are traversing one or more NATs
z/OS Communications Server does provide limited support for the following pre-RFC implementations:
- draft-ietf-ipsec-nat-t-ike-02 (pre-RFC draft of RFC 3947), and draft-ietf-ipsec-udp-encaps-02 (pre-RFC draft of RFC 3948)
- draft-ietf-ipsec-nat-t-ike-03 (pre-RFC draft of RFC 3947), and draft-ietf-ipsec-udp-encaps-03 (pre-RFC draft of RFC 3948)