And there are workarounds for all those. NAT-T for ipsec is really intended for endnodes only - which is fine if you are doing the NAT yourself (typical medium/large company scenario - internal users shouldn't be using IPSEC, that is done at the gateway/firewall) but sucks if your cable or xDSL ISP decides NAT is the way to go. (usually followed by a "well, you shouldn't need two or more nodes there/want to run a server/care about SIP, a business should pay for a DEDICATED link" for a little three-man sales office in the backend of nowhere) But regardless, all the workarounds are doing is trying to patch the fact
Kuhtz, Christian wrote: that UDP dependent connections are not NAT friendly by special-casing (or app-layer proxying) particular instances of UDP in a way that doesn't drop dead TOO often....