352-001 · Question #292
What should be taken into consideration when designing IPsec networks using Authentication Header (AH)?
The correct answer is A. NAT. IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.
Question
What should be taken into consideration when designing IPsec networks using Authentication Header (AH)?
Options
- ANAT
- Btransform set
- Ccrypto maps
- DISAKMP
How the community answered
(24 responses)- A92% (22)
- C4% (1)
- D4% (1)
Why each option
IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.
AH provides integrity and authentication by computing a hash over the entire IP packet, including immutable fields in the IP header such as source and destination addresses. Network Address Translation modifies the source IP address in transit, which invalidates the AH integrity check and causes the receiving peer to discard the packet. This fundamental incompatibility means NAT must be considered - and typically avoided or replaced with NAT-T using ESP - in any AH-based IPsec design.
Transform sets define which encryption and hashing algorithms are used in IPsec but are not a compatibility concern specific to AH.
Crypto maps are a configuration construct for applying IPsec policies and are not a design concern unique to AH.
ISAKMP governs IKE phase 1 key exchange and applies equally to both AH and ESP, so it is not a specific consideration for AH.
Concept tested: IPsec AH incompatibility with NAT
Source: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/6907-ah-nat.html
Topics
Community Discussion
No community discussion yet for this question.